[Pki-users] SSCEP client requesting CA cert

Chandrasekar Kannan ckannan at redhat.com
Thu Apr 23 21:07:10 UTC 2009 

On Thu, 2009-04-23 at 13:52 -0700, Fortunato wrote:
> Solved.


cool. thanks.


> 
> I pointed sscep to the url:
> 
>  # ./sscep getca -c ca.crt -u http://<fqdn>:9080/ca/cgi-bin/pkiclient.exe 
> 
> I know I'll run into issues with the rest... :) but I'll work on those bridges once I cross them.
> 
> -----Original Message-----
> >From: Chandrasekar Kannan <ckannan at redhat.com>
> >Sent: Apr 23, 2009 1:09 PM
> >To: Fortunato <fortunato.montresor at earthlink.net>
> >Cc: pki-users at redhat.com
> >Subject: Re: [Pki-users] SSCEP client requesting CA cert
> >
> >On Thu, 2009-04-23 at 13:03 -0700, Chandrasekar Kannan wrote:
> >> On Thu, 2009-04-23 at 11:35 -0700, Fortunato wrote:
> >> > Thanks to all for your help so far. :)
> >> > 
> >> > Lately I've been trying to request the CA cert using sscep and using the RA cgi url:
> >> > 
> >> >   http://<fqdn>:12888/ee/scep/pkiclient.cgi
> >> > 
> >> > I get the following error message:
> >> > 
> >> >   ./sscep: cannot find data from http reply
> >> > 
> >> > It looks like I have to make the CA cert available ...somewhere, but can't find any relevant places in the web gui or the documentation. Any ideas?
> >> > 
> >> > Additionally all the examples for retrieving the CA are for:
> >> > 
> >> >   http://<fqdn>:9180/ca/cgi.bin
> >> > 
> >> > I'm assuming this is the direct request to the CA. If it's easier to get it from the CA, I'll give that a try too, but that is generating the errors:
> >> > 
> >> >   ./sscep: wrong (or missing) MIME content type
> >> >   ./sscep: error while sending message
> >> > 
> >> > which looks even more hopeless.
> >> > 
> >> > Any help is appreciated.
> >> 
> >> Here's a perl module that we use for simple scep testing.
> >> I'll try to dig out the url and pin soon for a sample ...
> >
> >
> >some sample results from this. might be useful for you.
> >##########################################################################
> >
> >scep3 : [2007:5:9  12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l
> >root /bin/rm -f local.csr
> >	local.key ca.crt cert.crt 
> >scep3 : [2007:5:9  12:44:7] : result = 
> >scep3 : [2007:5:9  12:44:7] : ########################################################
> >scep3 : [2007:5:9  12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/mkrequest
> >	-ip 10.14.1.89 netscape 
> >Generating RSA private key, 1024 bit long modulus
> >..............++++++
> >...........++++++
> >e is 65537 (0x10001)
> >scep3 : [2007:5:9  12:44:7] : result = 
> >scep3 : [2007:5:9  12:44:7] : ########################################################
> >scep3 : [2007:5:9  12:44:7] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep getca
> >	-c ca.crt -u http://tank:9007/ca/cgi-bin/pkiclient.exe
> >scep3 : [2007:5:9  12:44:8] : result = /usr/bin/sscep: requesting CA certificate
> >	/usr/bin/sscep: valid response from server
> >	/usr/bin/sscep: MD5 fingerprint: AC:B6:11:DF:97:8C:E5:77:E2:A8:21:EE:A0:C5:76:D5
> >	/usr/bin/sscep: CA certificate written as ca.crt
> >scep3 : [2007:5:9  12:44:8] : ########################################################
> >scep3 : [2007:5:9  12:44:8] : command = rsh tank.dsdev.sjc.redhat.com -l root /usr/bin/sscep enroll
> >	-c ca.crt -k local.key -r local.csr  -l cert.crt -u
> >	http://tank:9007/ca/cgi-bin/pkiclient.exe 
> >scep3 : [2007:5:9  12:44:9] : result = /usr/bin/sscep: sending certificate request
> >	 /usr/bin/sscep: valid response from server
> >	 /usr/bin/sscep: pkistatus: SUCCESS
> >	 /usr/bin/sscep: certificate written as cert.crt
> >scep3 : [2007:5:9  12:44:9] : ########################################################
> >scep3 : [2007:5:9  12:44:9] : TestCaseResult scep3 PASS
> >##########################################################################
> >
> >
> >> 
> >> 
> >> ######################################################################
> >> # This perl module serves as a perl interface for the RHCS
> >> # SCEP - Enrollment
> >> 
> >> ######################################################################
> >> package    scep_enroll;
> >> require    Exporter;
> >> @ISA       = qw(Exporter);
> >> @EXPORT    = qw(scep_do_enroll_with_sscep
> >> 				);
> >> 
> >> ######################################################################
> >> use strict;
> >> use baserc;
> >> use baselib;
> >> use applib;
> >> #use Net::Telnet::Cisco;
> >> ######################################################################
> >> #sub scep_do_enroll
> >> #{
> >> #	my ($scep_enroll_pin,$scep_enroll_url) = @_;
> >> #
> >> #	# scep_host/password are hardcoded here. 
> >> #	my $scep_host = "scep.dsdev.sjc.redhat.com";
> >> #	my $scep_host_ip = "10.14.1.94";
> >> #	my $scep_password = "netscape";
> >> #	my $scep_ethernet = "Ethernet0/0";
> >> #
> >> #	my $session = Net::Telnet::Cisco->new(Host => "$scep_host" );
> >> #	$session->login('', "$scep_password");
> >> #	$session->ignore_warnings("1");
> >> #
> >> #	# Execute a command
> >> #	&message_ts;
> >> #	my @output = $session->cmd('show version');
> >> #	log_entry(@output);
> >> #
> >> #	# Enable mode
> >> #	if ($session->enable("$scep_password") )
> >> #	{
> >> #		@output = $session->cmd('show privilege');
> >> #		log_entry("My privileges: @output\n");
> >> #	}
> >> #	else
> >> #	{
> >> #		log_entry("Can't enable: " . "$session->errmsg");
> >> #	}
> >> #
> >> #	# enter conf t mode
> >> #	log_entry("Executing command = conf t\n");
> >> #	@output = $session->cmd("conf t");
> >> #	log_entry("result =@output \n"); 
> >> #
> >> #	# perform crypto cleanup first
> >> #	log_entry("Executing command = crypto key zeroize rsa \n");
> >> #	@output = $session->cmd("crypto key zeroize rsa\nyes");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = no crypto ca identity CA\n");
> >> #	@output = $session->cmd("no crypto ca identity CA\nyes");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	# setup CA identity
> >> #	log_entry("Executing command = crypto ca identity CA\n");
> >> #	@output = $session->cmd("crypto ca identity CA");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = enrollment url $scep_enroll_url \n");
> >> #	@output = $session->cmd("enrollment url $scep_enroll_url ");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = crl optional\n");
> >> #	@output = $session->cmd("crl optional");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = exit \n");
> >> #	@output = $session->cmd("exit");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	# authenticate CA
> >> #	log_entry("Executing command = crypto ca authenticate CA\n");
> >> #	@output = $session->cmd("crypto ca authenticate CA\nyes");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = crypto key generate rsa\n");
> >> #	@output = $session->cmd("crypto key generate rsa\n512");
> >> #	log_entry("result = @output\n");
> >> #	sleep(60);
> >> #
> >> #	log_entry("Executing command = crypto ca enroll CA \n");
> >> #	@output = $session->cmd("crypto ca enroll CA\n$scep_enroll_pin\n
> >> $scep_enroll_pin\nyes\nyes\n$scep_ethernet\nyes");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = exit \n");
> >> #	@output = $session->cmd("exit");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	log_entry("Executing command = show crypto CA certificate\nq\n");
> >> #	@output = $session->cmd("show crypto CA certificate\nq\n");
> >> #	log_entry("result = @output\n");
> >> #
> >> #	foreach(@output)
> >> #	{
> >> #		if( /$scep_host/ || /Key Usage: General Purpose/ )
> >> #		{
> >> #			return 0;
> >> #		}
> >> #	}
> >> #
> >> #
> >> ##########################################################################
> >> #	# close the session object
> >> #	$session->close;
> >> #
> >> #	return 1;
> >> #}
> >> ######################################################################
> >> sub scep_do_enroll_with_sscep
> >> {
> >> 	# This sub-routine uses the Simple SCEP client to do scep enrollments.
> >> 	# this can be used as an alternative if we don't have the router
> >> 	# the scep client is installed on tank.dsdev.sjc.redhat.com
> >> 
> >> 	my ($scep_enroll_pin,$scep_enroll_url) = @_;
> >> 
> >> 	# scep_host/password are hardcoded here. 
> >> 	my $scep_host = "tank.dsdev.sjc.redhat.com";
> >> 	my $uid = "root";
> >> 	my $ipaddress = os_getip();
> >> 
> >> 	# clean up 
> >> 	log_entry("########################################################
> >> \n");
> >> 	log_entry("command = rsh $scep_host -l $uid /bin/rm -f local.csr
> >> local.key ca.crt cert.crt \n");
> >> 	my $result = `rsh $scep_host -l $uid /bin/rm -f local.csr local.key
> >> ca.crt cert.crt`;
> >> 	log_entry("result = $result\n");
> >> 
> >> 	# generate a key
> >> 	log_entry("########################################################
> >> \n");
> >> 	log_entry("command = rsh $scep_host -l $uid /usr/bin/mkrequest -ip
> >> $ipaddress $scep_enroll_pin \n");
> >> 	$result = `rsh $scep_host -l $uid /usr/bin/mkrequest -ip $ipaddress
> >> $scep_enroll_pin `;
> >> 	log_entry("result = $result\n");
> >> 
> >> 	# get ca cert
> >> 	log_entry("########################################################
> >> \n");
> >> 	log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep getca -c
> >> ca.crt -u $scep_enroll_url\n");
> >> 	$result = `rsh $scep_host -l $uid /usr/bin/sscep getca -c ca.crt -u
> >> $scep_enroll_url`;
> >> 	log_entry("result = $result\n");
> >> 
> >> 	# submit enrollment request
> >> 	log_entry("########################################################
> >> \n");
> >> 	log_entry("command = rsh $scep_host -l $uid /usr/bin/sscep enroll -c
> >> ca.crt -k local.key -r local.csr  -l cert.crt -u $scep_enroll_url \n");
> >> 	my @output = `rsh $scep_host -l $uid /usr/bin/sscep enroll -c ca.crt -k
> >> local.key -r local.csr  -l cert.crt -u $scep_enroll_url `;
> >> 	log_entry("result = @output \n");
> >> 	
> >> 	# parse for success
> >> 	log_entry("########################################################
> >> \n");
> >> 	foreach(@output)
> >> 	{
> >> 		if(/pkistatus: SUCCESS/ || /certificate written as/ )
> >> 		{
> >> 			return 0;
> >> 		}
> >> 	}
> >> 	
> >> 	# failure
> >> 	return 1;
> >> }
> >> #########################################################################
> >> > 
> >> > 
> >> > 
> >> > _______________________________________________
> >> > Pki-users mailing list
> >> > Pki-users at redhat.com
> >> > https://www.redhat.com/mailman/listinfo/pki-users
> >-- 
> >
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >Chandrasekar Kannan --  ckannan at redhat.com
> >Quality Engineering -- http://www.redhat.com
> >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> 
-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Chandrasekar Kannan --  ckannan at redhat.com
Quality Engineering -- http://www.redhat.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Pki-users mailing list