Hello PKI users!
I am looking to use Dogtag for my org as the full PKI solution. Initially, Ill be using it for certificate issuance for an EAP-TLS rollout.
In the beginning to get certificates issued throughout the org, I would like utilize the SCEP server across multiple devices including Mac OS, iOS, Linux, Windows, Chromebooks.
So far, I have tested with the
sscep utility on linux and with Mac OS through the mobileconfig xml configuration. Using
sscep works great on linux, however any testing from Mac OS resides in a 500 from the server declaring that the request could not be decoded. I initially thought the requests were using the wrong CA, however intentionally using a wrong CA with the
sscep utility shows a completely different response in the logs.
Here is an excerpt from the
ca/debug log for a failed request:
==> ca/debug <==
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: operation=GetCACert
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert message=CAIdentifier
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: handleGetCACert selected chain=0
[31/Aug/2017:14:20:38][http-bio-8080-exec-5]: Output certificate chain:
30 82 03 a9 30 82 02 91 a0 03 02 01 02 02 01 01
30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30
44 31 21 30 1f 06 03 55 04 0a 0c 18 77 61 72 62
79 2e 69 6f 20 53 65 63 75 72 69 74 79 20 44 6f
6d 61 69 6e 31 1f 30 1d 06 03 55 04 03 0c 16 43
41 20 53 69 67 6e 69 6e 67 20 43 65 72 74 69 66
69 63 61 74 65 30 1e 17 0d 31 37 30 38 32 39 31
35 32 38 30 36 5a 17 0d 33 37 30 38 32 39 31 35
32 38 30 36 5a 30 44 31 21 30 1f 06 03 55 04 0a
0c 18 77 61 72 62 79 2e 69 6f 20 53 65 63 75 72
69 74 79 20 44 6f 6d 61 69 6e 31 1f 30 1d 06 03
55 04 03 0c 16 43 41 20 53 69 67 6e 69 6e 67 20
43 65 72 74 69 66 69 63 61 74 65 30 82 01 22 30
0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82
01 0f 00 30 82 01 0a 02 82 01 01 00 a6 07 b9 27
e5 fd a9 47 e6 d9 f3 01 6f 28 62 9b 4d 9c 8c 21
40 bf 4e 0c 99 ca c7 9d e7 88 ae c9 30 13 f9 1c
34 b4 6e 9d 0b 7a 78 d5 0c ae 10 be 4a cd 1d 33
d1 3d e7 c2 a9 22 ee d0 03 35 b9 8d c8 c8 17 4d
6a 4d 79 65 5b 7a 5b 82 7c d1 51 d5 45 be 7c d9
a7 70 98 fe 80 55 a7 5e 98 2b 7f a3 f3 02 67 9c
43 97 7d 8f fa dc 37 83 bc 6a 08 fc 70 7b f4 c9
bd 8c 41 e8 bd 4a ee 75 1e aa 45 41 2f 10 87 57
08 e8 16 e3 b2 4c 1f 43 58 d9 ad 52 8b 4f fe 72
4f 87 87 08 de 37 a1 c2 6e 9a e4 a8 49 a6 74 46
0b 3b 68 1d 06 f5 ed 09 6a dd 9a 49 6a b5 92 3a
e6 24 26 25 73 ac ff 8b 72 46 e6 1a 0e dd 0b 41
d3 5d 09 df 55 b5 46 99 73 9f 6c 0f de 91 4f fc
58 3e dd 11 2d 76 73 e2 fa 1a ed b7 cd b3 17 66
7a 0e c3 3d be b1 f2 b5 61 47 f3 32 68 00 c1 2f
92 86 b5 0d 4c e2 c6 b0 57 35 42 2b 02 03 01 00
01 a3 81 a5 30 81 a2 30 1f 06 03 55 1d 23 04 18
30 16 80 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 0f 06 03 55 1d 13 01
01 ff 04 05 30 03 01 01 ff 30 0e 06 03 55 1d 0f
01 01 ff 04 04 03 02 01 c6 30 1d 06 03 55 1d 0e
04 16 04 14 14 ea b1 73 42 97 87 7a a2 ef 2f 1e
04 c3 18 14 32 82 5b a1 30 3f 06 08 2b 06 01 05
05 07 01 01 04 33 30 31 30 2f 06 08 2b 06 01 05
05 07 30 01 86 23 68 74 74 70 3a 2f 2f 64 6f 67
74 61 67 2e 77 61 72 62 79 2e 69 6f 3a 38 30 38
30 2f 63 61 2f 6f 63 73 70 30 0d 06 09 2a 86 48
86 f7 0d 01 01 0b 05 00 03 82 01 01 00 37 fb 44
f8 0f 63 ab a6 7f 17 c5 0e 15 1f 0a 78 fa 58 72
c2 63 6f de cb 4f 5a ce b7 95 1b 65 9f e4 fe 61
d3 0b e6 51 92 cb f8 f1 8f 9c 9c ab 0c 7c 3e 9f
cd 80 c5 52 f2 d1 36 09 2c e3 cc a5 45 f3 47 71
62 0d 46 b5 df 3f a2 0e f8 35 7d 13 5a b3 ca a6
60 d1 4a 07 14 41 dd 8c b2 0b c8 c4 aa ab 50 6c
69 78 70 59 a6 00 7c 2f ce a0 d6 be 66 58 36 cf
81 18 92 db af 75 a9 63 8b 8a 84 db a5 8d d3 77
e0 78 bb 80 b4 a6 94 93 89 f0 95 00 18 d7 bf 2b
f6 a5 92 d1 d3 f1 83 cb f3 7f fb 31 f1 d0 1c 96
16 11 71 c4 07 16 f8 d1 19 af bd e3 6f a9 e4 06
ba 1d 8f 29 75 57 3f c5 c9 e4 b6 3b 08 4c 19 07
99 b3 50 e1 e0 d1 1a e6 d1 94 ab 27 00 82 c7 4a
c2 11 31 dd 83 48 23 c1 7e fa f9 b9 61 7e fb 3c
b0 26 45 fd ff e8 bb b6 c1 fc 9a fb 9f dd 24 e2
b3 9f 6a 64 25 62 c3 b2 bb 8b 47 98 95
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: operation=PKIOperation
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: message=MIIIfgYJKoZIhvcNAQcCoIIIbzCCCGsCAQExCzAJBgUrDgMCGgUAMIIDTwYJKoZIhvcNAQcBoIIDQASCAzwwggM4BgkqhkiG9w0BBwOgggMpMIIDJQIBADGCAWUwggFhAgEAMEkwRDEhMB8GA1UECgwYd2FyYnkuaW8gU2VjdXJpdHkgRG9tYWluMR8wHQYDVQQDDBZDQSBTaWduaW5nIENlcnRpZmljYXRlAgEBMA0GCSqGSIb3DQEBAQUABIIBAJajcdeb6TpsXF4gDJwVVwOyHROBXT0TcbBUSKbqIYXaRRH2koYfIkqCubQBRgHYOY4axGeMiNAXl1uO/LkUf0nTArx4JSLCmm3efFVznb8rJOEI/9gbdLVpGLlRDcCLsjK//mJxO/nsDwmnrsGcQ/zR434MYM9RVPs1QSSiFGqvWHiqkJ1iY ayN8HdLHvYHJkHW3F0d5/NF9BD6fY7UjGwqjD3PrmP91rrBWk/QpTdnRg/IRUshxRm4TeWQWQOOtrlRU7XUTm/ALZlr9DXN3r/YoWMdrasD8AXsyzQpcyU Y2OPpFIwpFaXXV/kxf9sc7OG BVzAvX41OjFjfWVBwwggG1BgkqhkiG9w0BBwEwFAYIKoZIhvcNAwcECJpHqEsbh10rgIIBkDKejpodVxi3v5VA0AR0kDlkJKzuozbXzVE6f/ECa7B0y/ahhtmGPvfP9QbQ/lOybhca83jg6dUOmfXmEZn/HTI2hWqUpLn0G1GkyFKtDYM79mIOlHkTMA2rWGyMkqSxgwH0RRfdxxXjSPTLwZPX3eP1zr05xkIRYuZWkohI56D02eo4DZK Zfg6sY8ATd7EpmHnNLXLACc7ejwYsAqLi4rAwF5Hrv4KSo/qq3VN cAh2E95SgRE5ae1dje/490cmZY5aYniFr/ZfFVHHyyOODc fY4q6EAQ6eygvhrHyZQXAwfioo0BVWYToJSRFKiZ2/p6OeuiNP8YtN65suiavlFDkCINt2 GyXVow9IG7/ol GzHo5Q36Xu6Hhk6oAv2ui7RXJ0YcPZCnHRHe/gPF5SNn3y5Stdtchrm4UBC1fCZCk4vJvZZtB6DIzKUkwHZBM2I0GlLxxaA7gpe6t3U5VR7T68VHwlCEXzd5oxQLEQjSERXC2 QfVITkfpkarKw9buDo/B 1f2cbZ5HZZWK226gggLdMIIC2TCCAcGgAwIBAgIBATANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwHhcNMTcwODMxMTQyMDM5WhcNMTgwODMxMTQyMDM5WjAaMRgwFgYDVQQDDA9NRE0gU0NFUCBTSUdORVIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgyEO4EhA H9 7uUXCTXi1KHRSZ O5bmjnG82vKnUfYJH2vDYdK8ySgGadgXpdYDevLgQq IpOdkr8TmsQygFqpfB6 gzaLsfwIUftHMEqRYcTrvkpJvUL6a8rgJ9Qk2QLlXW9VgDCSJuQEb7Djg8ztmEzrkxW0jrBgZUB2RuNz8/GtYpwiqOn0H2Y8XpQnVX gLfYCrWic ydDUPcpvNJGxYHT3VlcavVYCJ0fCXtlq8LYSHLmjIZBuZ3GskYpcpSFcVt wdGReDq2J9qrW3MrUCofwnJm2EM975Z6L8oESFGgi75 AZcxv31igjbGowObi1JdmaiBP7s4IIqjzOBAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAWNNND6b/g7k1mGH2bbYNguNAHbE2d2nbi3dA4y7eIqK KG1iPGfznBRO0SQ36ISYhV7zCgZnGWpqdfqpPoNZFA06ffHxnoeEy8CBJgABb3/WKTkHrzk5 WiKY3xMHng76sUMlo9ZmoAPv4TefG m4IHqS4PLOiOnlB3tnh FNCW6kZpvQ67w3Qzq74DQ5vsxkj tCK254tFPHmCtzCf4IA/tnVhx a4ZdrYhQdfSzeTV0OH29wcsZkkj7eYdElJRBgSLshnUNgHLYGat0yL qFyHwtniTDhstYkDzohRZqdRm1PLKhx1fydjPIJCgqlfizNaLKliPVqw1Kg/3EOszGCAiMwggIfAgEBMB8wGjEYMBYGA1UEAwwPTURNIFNDRVAgU0lHTkVSAgEBMAkGBSsOAwIaBQCggdowEgYKYIZIAYb4RQEJAjEEEwIxOTATBgkqhkiG9w0BCQcxBhMEd2hhdDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBgGCmCGSAGG EUBCQUxCgQIUjA1J7asfb0wHAYJKoZIhvcNAQkFMQ8XDTE3MDgzMTE0MjAzOVowIwYJKoZIhvcNAQkEMRYEFOwjJDjdDs6SCjnPNHsc29ZsI05MMDgGCmCGSAGG EUBCQcxKhMoOEIzNzhBODE1RjZDQjEyODJBMzU1NkIwRkFDNjJDNkM2MTQ4OTBDMjANBgkqhkiG9w0BAQEFAASCAQAEzTvWktV9S 8w0 EiqsakAO1 LfyToBz8atr/FXxJ45cKAOcPMk/sArtQlbrrg3fhStDTZGiPqFD1oqaq6r1IlkGG/m2mYoDxZXXTtvwODKMdYjjNCsFKmverk0IOAxUu5XX32oWB2ROgEOKGCSV1oPSB4KlsQRm5QQk5VFuJbkIG5idd3fg/86TwetIlu6NEi2qWQDXeZUtdbn7n4Zi8pw2AtxLdjOgTutqT7FQqVc/KTRXdcqxUpHrZSLHCTDR0Pzyky0pFhW/3K41/QpDFy6H7vwoEVVibK7QXGgZI6xFY0T dL43QQW 3fHji7wjaAbRtGPvBSd8Bc6d3wHis
java.io.EOFException
at org.mozilla.jss.asn1.ASN1Util.readFully(ASN1Util.java:114)
at org.mozilla.jss.asn1.ANY$Template.decode(ANY.java:274)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:157)
at org.mozilla.jss.asn1.EXPLICIT$Template.decode(EXPLICIT.java:146)
at org.mozilla.jss.asn1.SEQUENCE$Template.decode(SEQUENCE.java:400)
at org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:254)
at org.mozilla.jss.pkcs7.ContentInfo$Template.decode(ContentInfo.java:247)
at com.netscape.cmsutil.scep.CRSPKIMessage.decodeCRSPKIMessage(CRSPKIMessage.java:701)
at com.netscape.cmsutil.scep.CRSPKIMessage.<init>(CRSPKIMessage.java:723)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.handlePKIOperation(CRSEnrollment.java:832)
at com.netscape.cms.servlet.cert.scep.CRSEnrollment.service(CRSEnrollment.java:370)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1078)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[31/Aug/2017:14:20:39][http-bio-8080-exec-6]: ServletException javax.servlet.ServletException: Could not decode the request.