Solved.

I pointed sscep to the url: # ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe I know I'll run into issues with the rest... :) but I'll work on those bridges once I cross them. -----Original Message----- >From: Chandrasekar Kannan <ckannan(a)redhat.com&gt; >Sent: Apr 23, 2009 1:09 PM >To: Fortunato <fortunato.montresor(a)earthlink.net&gt; >Cc: pki-users(a)redhat.com >Subject: Re: [Pki-users] SSCEP client requesting CA cert > >On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote: >> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote: >> > Thanks to all for your help so far. :) >> > >> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url: >> > >> > http://<fqdn>:12888/ee/scep/pkiclient.cgi >> > >> > I get the following error message: >> > >> > ./sscep: cannot find data from http reply >> > >> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas? >> > >> > Additionally all the examples for retrieving the CA are for: >> > >> > http://<fqdn>:9180/ca/cgi.bin >> > >> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors: >> > >> > ./sscep: wrong (or missing) MIME content type >> > ./sscep: error while sending message >> > >> > which looks even more hopeless. >> > >> > Any help is appreciated. >> >> Here's a perl module that we use for simple scep testing. >> I'll try to dig out the url and pin soon for a sample ... > > >some sample results from this. might be useful for you. >########################################################################## > >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l >root /bin/rm -f local.csr > local.key ca.crt cert.crt >scep3 : [2007:5:9 12:44:7] : result = >scep3 : [2007:5:9 12:44:7] : ######################################################## >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest > -ip 10.14.1.89 netscape >Generating RSA private key, 1024 bit long modulus >..............++++++ >...........++++++ >e is 65537 (0x10001) >scep3 : [2007:5:9 12:44:7] : result = >scep3 : [2007:5:9 12:44:7] : ######################################################## >scep3 : [2007:5:9 12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca > -c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe >scep3 : [2007:5:9 12:44:8] : result = /usr/bin/sscep: requesting CA certificate > /usr/bin/sscep: valid response from server > /usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5 > /usr/bin/sscep: CA certificate written as ca.crt >scep3 : [2007:5:9 12:44:8] : ######################################################## >scep3 : [2007:5:9 12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll > -c ca.crt -k local.key -r local.csr -l cert.crt -u > http://tank:9007/ca/cgi-bin/pkiclient.exe >scep3 : [2007:5:9 12:44:9] : result = /usr/bin/sscep: sending certificate request > /usr/bin/sscep: valid response from server > /usr/bin/sscep: pkistatus: SUCCESS > /usr/bin/sscep: certificate written as cert.crt >scep3 : [2007:5:9 12:44:9] : ######################################################## >scep3 : [2007:5:9 12:44:9] : TestCaseResult scep3 PASS >########################################################################## > > >> >> >> ###################################################################### >> # This perl module serves as a perl interface for the RHCS >> # SCEP - Enrollment >> >> ###################################################################### >> package scep_enroll; >> require Exporter; >> @ISA = qw(Exporter); >> @EXPORT = qw(scep_do_enroll_with_sscep >> ); >> >> ###################################################################### >> use strict; >> use baserc; >> use baselib; >> use applib; >> #use Net::Telnet::Cisco; >> ###################################################################### >> #sub scep_do_enroll >> #{ >> # my ($scep_enroll_pin,$scep_enroll_url) = @_; >> # >> # # scep_host/password are hardcoded here. >> # my $scep_host = "scep.dsdev.sjc.redhat.com"; >> # my $scep_host_ip = "10.14.1.94"; >> # my $scep_password = "netscape"; >> # my $scep_ethernet = "Ethernet0/0"; >> # >> # my $session = Net::Telnet::Cisco->new(Host => "$scep_host" ); >> # $session->login('', "$scep_password"); >> # $session->ignore_warnings("1"); >> # >> # # Execute a command >> # &message_ts; >> # my @output = $session->cmd('show version'); >> # log_entry(@output); >> # >> # # Enable mode >> # if ($session->enable("$scep_password") ) >> # { >> # @output = $session->cmd('show privilege'); >> # log_entry("My privileges: @output\n"); >> # } >> # else >> # { >> # log_entry("Can't enable: " . "$session->errmsg"); >> # } >> # >> # # enter conf t mode >> # log_entry("Executing command = conf t\n"); >> # @output = $session->cmd("conf t"); >> # log_entry("result =@output \n"); >> # >> # # perform crypto cleanup first >> # log_entry("Executing command = crypto key zeroize rsa \n"); >> # @output = $session->cmd("crypto key zeroize rsa\nyes"); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = no crypto ca identity CA\n"); >> # @output = $session->cmd("no crypto ca identity CA\nyes"); >> # log_entry("result = @output\n"); >> # >> # # setup CA identity >> # log_entry("Executing command = crypto ca identity CA\n"); >> # @output = $session->cmd("crypto ca identity CA"); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = enrollment url $scep_enroll_url \n"); >> # @output = $session->cmd("enrollment url $scep_enroll_url "); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = crl optional\n"); >> # @output = $session->cmd("crl optional"); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = exit \n"); >> # @output = $session->cmd("exit"); >> # log_entry("result = @output\n"); >> # >> # # authenticate CA >> # log_entry("Executing command = crypto ca authenticate CA\n"); >> # @output = $session->cmd("crypto ca authenticate CA\nyes"); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = crypto key generate rsa\n"); >> # @output = $session->cmd("crypto key generate rsa\n512"); >> # log_entry("result = @output\n"); >> # sleep(60); >> # >> # log_entry("Executing command = crypto ca enroll CA \n"); >> # @output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n >> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes"); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = exit \n"); >> # @output = $session->cmd("exit"); >> # log_entry("result = @output\n"); >> # >> # log_entry("Executing command = show crypto CA certificate\nq\n"); >> # @output = $session->cmd("show crypto CA certificate\nq\n"); >> # log_entry("result = @output\n"); >> # >> # foreach(@output) >> # { >> # if( /$scep_host/ || /Key Usage: General Purpose/ ) >> # { >> # return 0; >> # } >> # } >> # >> # >> ########################################################################## >> # # close the session object >> # $session->close; >> # >> # return 1; >> #} >> ###################################################################### >> sub scep_do_enroll_with_sscep >> { >> # This sub-routine uses the Simple SCEP client to do scep enrollments. >> # this can be used as an alternative if we don't have the router >> # the scep client is installed on tank.dsdev.sjc.redhat.com >> >> my ($scep_enroll_pin,$scep_enroll_url) = @_; >> >> # scep_host/password are hardcoded here. >> my $scep_host = "tank.dsdev.sjc.redhat.com"; >> my $uid = "root"; >> my $ipaddress = os_getip(); >> >> # clean up >> log_entry("######################################################## >> \n"); >> log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr >> local.key ca.crt cert.crt \n"); >> my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key >> ca.crt cert.crt`; >> log_entry("result = $result\n"); >> >> # generate a key >> log_entry("######################################################## >> \n"); >> log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip >> $ipaddress $scep_enroll_pin \n"); >> $result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress >> $scep_enroll_pin `; >> log_entry("result = $result\n"); >> >> # get ca cert >> log_entry("######################################################## >> \n"); >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c >> ca.crt -u $scep_enroll_url\n"); >> $result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u >> $scep_enroll_url`; >> log_entry("result = $result\n"); >> >> # submit enrollment request >> log_entry("######################################################## >> \n"); >> log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c >> ca.crt -k local.key -r local.csr -l cert.crt -u $scep_enroll_url \n"); >> my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k >> local.key -r local.csr -l cert.crt -u $scep_enroll_url `; >> log_entry("result = @output \n"); >> >> # parse for success >> log_entry("######################################################## >> \n"); >> foreach(@output) >> { >> if(/pkistatus: SUCCESS/ || /certificate written as/ ) >> { >> return 0; >> } >> } >> >> # failure >> return 1; >> } >> ######################################################################### >> > >> > >> > >> > _______________________________________________ >> > Pki-users mailing list >> > Pki-users(a)redhat.com >> > https://www.redhat.com/mailman/listinfo/pki-users >-- > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Chandrasekar Kannan -- ckannan(a)redhat.com >Quality Engineering -- http://www.redhat.com >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >