I found my issue. The IP address that was
sourcing the request was not the IP address used in requesting the SCEP.
Charles Jennings
Network Security Engineer | Network Engineering
EarthLink Business
E: charles.jennings@corp.earthlink.com
O: 256-241-4223 | M: 256-689-9741
| F: 256-241-4294
1801 Hillyer
Deltacom is now EarthLink Business
"There is one safeguard known
generally to the wise, which is an advantage and security to all, but
especially to democracies as against despots. What is it? Distrust."
Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 (344
B.C.)
From: pki-users-bounces@redhat.com
[mailto:pki-users-bounces@redhat.com] On
Behalf Of Andrew Wnuk
Sent: Monday, April 25, 2011 6:02
PM
To:
Subject: Re: [Pki-users] Cisco
Router and RA SCEP & PIN
Is there anything interesting in your CA debug log
file?
Did you verify if your request includes challenge password attribute?
Thank you,
Andrew
On 04/21/2011 06:00 AM,
Looking for
some help:
I've been beating my head over this for a few days with no resolve:
1. Using DCS version 1.3
2. In RA SSL End User Services, perform a SCEP enrollment
using
following information:
a. Client
IP: a user id
b. Site
ID: The IP address of the
router
c.
Email: My
email address
3. In RA Agent Services, approve the request and note the PIN
that is
assigned.
4. In router, generate RSA key:
crypto key gen rsa
Set to 1024 modulus
5. In router, create the crypto ca trustpoint as follows:
crypto ca trustpoint CA
enrollment mode ra
enrollment url http://ra.test.com:12888/ee/scep/pkiclient.cgi
crl optional
6. In router, obtain CA certificate (with no problem)
crypto ca authenticate CA
Certificate has the following attributes:
Fingerprint MD5: blah
blah
Fingerprint SHA1: blah
blah
%Do you accept this certificate? [yes/no]: yes
Here's where it all blows up:
7. Try to obtain certificate:
crypto ca enroll CA
%
% Start certificate enrollment .
% Create a challenge password. You will need to
verbally provide this
Password to the CA
Administrator in order to revoke your certificate.
For security reasons you
password will not be saved in the configuration.
Please make a note of it.
Password: {I've tried the PIN and just any
'ol password}
Re-enter password:
% The subject name in the certificate will
include: TEST_HOST.cert-test.net
% Include the router serial number in the
subject name? [yes/no]: no {tried both}
% Include the IP address in the subject name?
[no]: no {tried both}
Request certificate from CA? [yes/no] yes
% Certificate request sent to Certificate
Authority
% The 'show crypto ca certificate CA verbose'
command will show the fingerprint
CRYPTO_PKI: Certificate Request
Fingerprint MD5: blah blah
CRYPTO_PKI: Certificate Request
Fingerprint SHA1: blah blah
%PKI-6-CERTFAIL: Certificate enrollment failed.
8. I have turned on debugging and found that everytime it
failed, I
was being told at the end of the debugging that
I was being
redirected with a '302 Moved' to
/ee/scep/installer.cgi
9. So I went in and edited the following file:
vi
./var/lib/pki-ra/docroot/ee/scep/pkiclient.cgi
and commented out the following 4 lines in the
file:
# check PIN
if (1) {
my $pin_store =
PKI::Base::PinStore->new();
$pin_store->open($cfg);
my $pinref =
$pin_store->read_pin($key);
if (defined($pinref) &&
$pinref->{'pin'} eq $pin) {
$pin_store->delete($key);
} else {
# $pin_store->close();
# # XXX - return SCEP error
# print
$q->redirect("/ee/scep/installer.cgi");
# return;
}
$pin_store->close();
}
10. I ran thru the whole enrollment process again - and bang: It works
So I know that the issue is that it can't determine the PIN that was
assigned during the RA enrollment process.
Does anyone know how I can resolve this so that PIN authentication works?
Thanks,
Charles Jennings
Network Security Engineer | Network Engineering
EarthLink Business
E: charles.jennings@corp.earthlink.com
<mailto:charles.jennings@corp.earthlink.com>
O: 256-241-4223 | M: 256-689-9741 | F: 256-241-4294
1801 Hillyer
Deltacom is now EarthLink Business
"There is one safeguard known generally to the wise, which is an advantage
and security to all, but especially to democracies as against despots. What is
it? Distrust."
Demosthenes (c 384-322 B.C.), Greek orator. Second Philippic, sct. 24 (344
B.C.)
_______________________________________________
Pki-users mailing list
Pki-users@redhat.com
https://www.redhat.com/mailman/listinfo/pki-users