Re: [Pki-devel] Issues with certmonger SCEP enrollment with Dogtag

Hi Trevor, I'll need a bit of clarification and some info... On 01/31/2018 10:52 AM, Trevor Vaughan wrote: Hi All, I've hit a bit of a roadblock with debugging SCEP enrollment from certmonger to Dogtag and I'm hoping that someone can help. I am attempting to register with a subordinate CA that has a KRA set up and will successfully sign certificate requests from certmonger. Unfortunately, there is an issue with receiving the signed certificate and I've been unable to figure out how to successfully debug the issue. So, the scep client has issue receiving the scep response from the server? And you have determined that the response is indeed a signed certificate (like, not error response)? The error that is returned is "Error: failed to verify signature on server response." and is triggered from https://pagure.io/certmonger/ blob/master/f/src/pkcs7.c#_1065. Is your scep client trusting the subordinate ca's scep signing cert? I've tried dumping the p7 data but, from what I can tell, the response is empty in that block of code and I'm not quite sure where to go from there. Wait, so the received response is empty? If the scep response from the subCA is not empty, could you show the Base64 encoded response and maybe I can take a look? Also, if you could attach relevant portion of the sub-CA's debug log it might be helpful. Any assistance is appreciated. Thanks, Trevor -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 <(410)%20541-6699> -- This account not approved for unencrypted proprietary information -- _______________________________________________ Pki-devel mailing listPki-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel(a)redhat.com https://www.redhat.com/mailman/listinfo/pki-devel