[Pki-users] SSCEP client requesting CA cert

Chandrasekar Kannan ckannan at redhat.com
Thu Apr 23 20:03:43 UTC 2009 

On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote:
> Thanks to all for your help so far. :)
> 
> Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
> 
>   http://<fqdn>:12888/ee/scep/pkiclient.cgi
> 
> I get the following error message:
> 
>   ./sscep: cannot find data from http reply
> 
> It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
> 
> Additionally all the examples for retrieving the CA are for:
> 
>   http://<fqdn>:9180/ca/cgi.bin
> 
> I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
> 
>   ./sscep: wrong (or missing) MIME content type
>   ./sscep: error while sending message
> 
> which looks even more hopeless.
> 
> Any help is appreciated.

Here's a perl module that we use for simple scep testing.
I'll try to dig out the url and pin soon for a sample ...


######################################################################
# This perl module serves as a perl interface for the RHCS
# SCEP - Enrollment

######################################################################
package    scep_enroll;
require    Exporter;
@ISA       = qw(Exporter);
@EXPORT    = qw(scep_do_enroll_with_sscep
				);

######################################################################
use strict;
use baserc;
use baselib;
use applib;
#use Net::Telnet::Cisco;
######################################################################
#sub scep_do_enroll
#{
#	my ($scep_enroll_pin,$scep_enroll_url) = @_;
#
#	# scep_host/password are hardcoded here. 
#	my $scep_host = "scep.dsdev.sjc.redhat.com";
#	my $scep_host_ip = "10.14.1.94";
#	my $scep_password = "netscape";
#	my $scep_ethernet = "Ethernet0/0";
#
#	my $session = Net::Telnet::Cisco->new(Host => "$scep_host" );
#	$session->login('', "$scep_password");
#	$session->ignore_warnings("1");
#
#	# Execute a command
#	&message_ts;
#	my @output = $session->cmd('show version');
#	log_entry(@output);
#
#	# Enable mode
#	if ($session->enable("$scep_password") )
#	{
#		@output = $session->cmd('show privilege');
#		log_entry("My privileges: @output\n");
#	}
#	else
#	{
#		log_entry("Can't enable: " . "$session->errmsg");
#	}
#
#	# enter conf t mode
#	log_entry("Executing command = conf t\n");
#	@output = $session->cmd("conf t");
#	log_entry("result =@output \n"); 
#
#	# perform crypto cleanup first
#	log_entry("Executing command = crypto key zeroize rsa \n");
#	@output = $session->cmd("crypto key zeroize rsa\nyes");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = no crypto ca identity CA\n");
#	@output = $session->cmd("no crypto ca identity CA\nyes");
#	log_entry("result = @output\n");
#
#	# setup CA identity
#	log_entry("Executing command = crypto ca identity CA\n");
#	@output = $session->cmd("crypto ca identity CA");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = enrollment url $scep_enroll_url \n");
#	@output = $session->cmd("enrollment url $scep_enroll_url ");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = crl optional\n");
#	@output = $session->cmd("crl optional");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = exit \n");
#	@output = $session->cmd("exit");
#	log_entry("result = @output\n");
#
#	# authenticate CA
#	log_entry("Executing command = crypto ca authenticate CA\n");
#	@output = $session->cmd("crypto ca authenticate CA\nyes");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = crypto key generate rsa\n");
#	@output = $session->cmd("crypto key generate rsa\n512");
#	log_entry("result = @output\n");
#	sleep(60);
#
#	log_entry("Executing command = crypto ca enroll CA \n");
#	@output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n
$scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = exit \n");
#	@output = $session->cmd("exit");
#	log_entry("result = @output\n");
#
#	log_entry("Executing command = show crypto CA certificate\nq\n");
#	@output = $session->cmd("show crypto CA certificate\nq\n");
#	log_entry("result = @output\n");
#
#	foreach(@output)
#	{
#		if( /$scep_host/ || /Key Usage: General Purpose/ )
#		{
#			return 0;
#		}
#	}
#
#
##########################################################################
#	# close the session object
#	$session->close;
#
#	return 1;
#}
######################################################################
sub scep_do_enroll_with_sscep
{
	# This sub-routine uses the Simple SCEP client to do scep enrollments.
	# this can be used as an alternative if we don't have the router
	# the scep client is installed on tank.dsdev.sjc.redhat.com

	my ($scep_enroll_pin,$scep_enroll_url) = @_;

	# scep_host/password are hardcoded here. 
	my $scep_host = "tank.dsdev.sjc.redhat.com";
	my $uid = "root";
	my $ipaddress = os_getip();

	# clean up 
	log_entry("########################################################
\n");
	log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr
local.key ca.crt cert.crt \n");
	my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key
ca.crt cert.crt`;
	log_entry("result = $result\n");

	# generate a key
	log_entry("########################################################
\n");
	log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip
$ipaddress $scep_enroll_pin \n");
	$result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress
$scep_enroll_pin `;
	log_entry("result = $result\n");

	# get ca cert
	log_entry("########################################################
\n");
	log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c
ca.crt -u $scep_enroll_url\n");
	$result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u
$scep_enroll_url`;
	log_entry("result = $result\n");

	# submit enrollment request
	log_entry("########################################################
\n");
	log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c
ca.crt -k local.key -r local.csr  -l cert.crt -u $scep_enroll_url \n");
	my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k
local.key -r local.csr  -l cert.crt -u $scep_enroll_url `;
	log_entry("result = @output \n");
	
	# parse for success
	log_entry("########################################################
\n");
	foreach(@output)
	{
		if(/pkistatus: SUCCESS/ || /certificate written as/ )
		{
			return 0;
		}
	}
	
	# failure
	return 1;
}
#########################################################################
> 
> 
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan --  ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Pki-users mailing list