Re: [Pki-users] SSCEP client requesting CA cert

On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote: > Thanks to all for your help so far. :) > > Lately I've been trying to request the CA cert using sscep and using the RA cgi url: > > http://<fqdn>:12888/ee/scep/pkiclient.cgi > > I get the following error message: > > ./sscep: cannot find data from http reply > > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas? > > Additionally all the examples for retrieving the CA are for: > > http://<fqdn>:9180/ca/cgi.bin > > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors: > > ./sscep: wrong (or missing) MIME content type > ./sscep: error while sending message > > which looks even more hopeless. > > Any help is appreciated. Here's a perl module that we use for simple scep testing. I'll try to dig out the url and pin soon for a sample ...

###################################################################### # This perl module serves as a perl interface for the RHCS # SCEP - Enrollment ###################################################################### package scep_enroll; require Exporter; @ISA = qw(Exporter); @EXPORT = qw(scep_do_enroll_with_sscep ); ###################################################################### use strict; use baserc; use baselib; use applib; #use Net::Telnet::Cisco; ###################################################################### #sub scep_do_enroll #{ # my ($scep_enroll_pin,$scep_enroll_url) = @_; # # # scep_host/password are hardcoded here. # my $scep_host = "scep.dsdev.sjc.redhat.com"; # my $scep_host_ip = "10.14.1.94"; # my $scep_password = "netscape"; # my $scep_ethernet = "Ethernet0/0"; # # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" ); # $session->login('', "$scep_password"); # $session->ignore_warnings("1"); # # # Execute a command # &message_ts; # my @output = $session->cmd('show version'); # log_entry(@output); # # # Enable mode # if ($session->enable("$scep_password") ) # { # @output = $session->cmd('show privilege'); # log_entry("My privileges: @output\n"); # } # else # { # log_entry("Can't enable: " . "$session->errmsg"); # } # # # enter conf t mode # log_entry("Executing command = conf t\n"); # @output = $session->cmd("conf t"); # log_entry("result =@output \n"); # # # perform crypto cleanup first # log_entry("Executing command = crypto key zeroize rsa \n"); # @output = $session->cmd("crypto key zeroize rsa\nyes"); # log_entry("result = @output\n"); # # log_entry("Executing command = no crypto ca identity CA\n"); # @output = $session->cmd("no crypto ca identity CA\nyes"); # log_entry("result = @output\n"); # # # setup CA identity # log_entry("Executing command = crypto ca identity CA\n"); # @output = $session->cmd("crypto ca identity CA"); # log_entry("result = @output\n"); # # log_entry("Executing command = enrollment url $scep_enroll_url \n"); # @output = $session->cmd("enrollment url $scep_enroll_url "); # log_entry("result = @output\n"); # # log_entry("Executing command = crl optional\n"); # @output = $session->cmd("crl optional"); # log_entry("result = @output\n"); # # log_entry("Executing command = exit \n"); # @output = $session->cmd("exit"); # log_entry("result = @output\n"); # # # authenticate CA # log_entry("Executing command = crypto ca authenticate CA\n"); # @output = $session->cmd("crypto ca authenticate CA\nyes"); # log_entry("result = @output\n"); # # log_entry("Executing command = crypto key generate rsa\n"); # @output = $session->cmd("crypto key generate rsa\n512"); # log_entry("result = @output\n"); # sleep(60); # # log_entry("Executing command = crypto ca enroll CA \n"); # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes"); # log_entry("result = @output\n"); # # log_entry("Executing command = exit \n"); # @output = $session->cmd("exit"); # log_entry("result = @output\n"); # # log_entry("Executing command = show crypto CA certificate\nq\n"); # @output = $session->cmd("show crypto CA certificate\nq\n"); # log_entry("result = @output\n"); # # foreach(@output) # { # if( /$scep_host/ || /Key Usage: General Purpose/ ) # { # return 0; # } # } # # ########################################################################## # # close the session object # $session->close; # # return 1; #} ###################################################################### sub scep_do_enroll_with_sscep { # This sub-routine uses the Simple SCEP client to do scep enrollments. # this can be used as an alternative if we don't have the router # the scep client is installed on tank.dsdev.sjc.redhat.com my ($scep_enroll_pin,$scep_enroll_url) = @_; # scep_host/password are hardcoded here. my $scep_host = "tank.dsdev.sjc.redhat.com"; my $uid = "root"; my $ipaddress = os_getip(); # clean up log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr local.key ca.crt cert.crt \n"); my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key ca.crt cert.crt`; log_entry("result = $result\n"); # generate a key log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress $scep_enroll_pin \n"); $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress $scep_enroll_pin `; log_entry("result = $result\n"); # get ca cert log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u $scep_enroll_url\n"); $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u $scep_enroll_url`; log_entry("result = $result\n"); # submit enrollment request log_entry("######################################################## \n"); log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n"); my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url `; log_entry("result = @output \n"); # parse for success log_entry("######################################################## \n"); foreach(@output) { if(/pkistatus: SUCCESS/ || /certificate written as/ ) { return 0; } } # failure return 1; } ######################################################################### > > > > _______________________________________________ > Pki-users mailing list > Pki-users(a)redhat.com > https://www.redhat.com/mailman/listinfo/pki-users