Hi Trevor,
I'll need a bit of clarification and some info...
On 01/31/2018 10:52 AM, Trevor Vaughan wrote:
Hi All,
I've hit a bit of a roadblock with debugging SCEP enrollment from
certmonger to Dogtag and I'm hoping that someone can help.
I am attempting to register with a subordinate CA that has a KRA set
up and will successfully sign certificate requests from certmonger.
Unfortunately, there is an issue with receiving the signed certificate
and I've been unable to figure out how to successfully debug the issue.
So, the
scep client has issue receiving the scep response from the
server? And you have determined that the response is indeed a signed
certificate (like, not error response)?
The error that is returned is "Error: failed to verify signature on
server response." and is triggered from
https://pagure.io/certmonger/blob/master/f/src/pkcs7.c#_1065.
Is your scep client trusting the subordinate ca's scep signing cert?
I've tried dumping the p7 data but, from what I can tell, the response
is empty in that block of code and I'm not quite sure where to go from
there.
Wait, so the received response is empty?
If the scep response from the subCA is not empty, could you show the
Base64 encoded response and maybe I can take a look?
Also, if you could attach relevant portion of the sub-CA's debug log it
might be helpful.
Any assistance is appreciated.
Thanks,
Trevor
--
Trevor Vaughan
Vice President, Onyx Point, Inc
(410) 541-6699 x788
-- This account not approved for unencrypted proprietary information --
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel