Describe the Bug

EJBCA-CE (ephemeral docker version) throws exception for a SCEP PkcsReq request.

To Reproduce

Steps to reproduce the behavior:

Run EJBCA-CE in a docker container as described here.
Configure a SCEP CA in RA mode with challenge password 1234.
Send a PkcsReq SCEP message (see attachment).
The EJBCA returns a java.lang.IllegalArgumentException (see attachment for more info).

Expected Behavior

EJBCA should return a new certificate. We tested our SCEP client with other CAs, which don't show problems.

Screenshots and Logs

If applicable, add screenshots and logs to help explain your problem.

Product Deployment

Please complete the following information:

Deployment format: docker
Version: latest as of 2025-07-15 (this is probably version 9.1.1, docker image digest:sha256:a7aa1e710781525444788e01b4bbbf48aac08c6262dbe7ad86b67e70cdb53843)

Desktop

Please complete the following information:

OS: Windows 11

Additional Info

Exception in EJBCA when SCEP Request is sent

SCEP enroll message (Signed PKCS7):

Response body

00000000  3C 68 74 6D 6C 3E 3C 68 65 61 64 3E 3C 74 69 74 6C 65 3E 45 72 72 6F 72 3C 2F 74 69 74 6C 65 3E  <html><head><title>Error</title>
00000020  3C 2F 68 65 61 64 3E 3C 62 6F 64 79 3E 6A 61 76 61 2E 6C 61 6E 67 2E 49 6C 6C 65 67 61 6C 41 72  </head><body>java.lang.IllegalAr
00000040  67 75 6D 65 6E 74 45 78 63 65 70 74 69 6F 6E 3A 20 75 6E 6B 6E 6F 77 6E 20 6F 62 6A 65 63 74 20  gumentException: unknown object
00000060  69 6E 20 67 65 74 49 6E 73 74 61 6E 63 65 3A 20 6F 72 67 2E 62 6F 75 6E 63 79 63 61 73 74 6C 65  in getInstance: org.bouncycastle
00000080  2E 61 73 6E 31 2E 44 4C 54 61 67 67 65 64 4F 62 6A 65 63 74 3C 2F 62 6F 64 79 3E 3C 2F 68 74 6D  .asn1.DLTaggedObject</body></htm
000000A0  6C 3E                                                                                            l>"

Error Log in EJBCA-CE Docker

2025-07-15 11:51:48,170+0000 ERROR [org.jboss.as.ejb3.invocation] (default task-12) WFLYEJB0034: Jakarta Enterprise Beans Invocation failed on component RaMasterApiProxyBean for method public abstract byte[] org.ejbca.core.model.era.RaMasterApi.scepDispatch(org.cesecore.authentication.tokens.AuthenticationToken,java.lang.String,java.lang.String,java.lang.String) throws java.security.cert.CertificateEncodingException, org.ejbca.core.protocol.NoSuchAliasException, org.cesecore.certificates.ca.CADoesntExistsException, org.ejbca.core.ejb.ra.NoSuchEndEntityException, org.cesecore.certificates.certificate.exception.CustomCertificateSerialNumberException, com.keyfactor.util.keys.token.CryptoTokenOfflineException, org.cesecore.certificates.certificate.IllegalKeyException, org.cesecore.certificates.ca.SignRequestException, org.cesecore.certificates.ca.SignRequestSignatureException, org.ejbca.core.model.ca.AuthStatusException, org.ejbca.core.model.ca.AuthLoginException, org.cesecore.certificates.ca.IllegalNameException, org.cesecore.certificates.certificate.CertificateCreateException, org.cesecore.certificates.certificate.CertificateRevokeException, org.cesecore.certificates.certificate.exception.CertificateSerialNumberException, org.cesecore.certificates.ca.IllegalValidityException, org.cesecore.certificates.ca.CAOfflineException, org.cesecore.certificates.ca.InvalidAlgorithmException, java.security.SignatureException,java.security.cert.CertificateException, org.cesecore.authorization.AuthorizationDeniedException, org.cesecore.certificates.certificate.certextensions.CertificateExtensionException, org.ejbca.ui.web.protocol.CertificateRenewalException:

jakarta.ejb.EJBException: java.lang.IllegalArgumentException: unknown object in getInstance: org.bouncycastle.asn1.DLTaggedObject

Jul 15 '25 13:07 bkstein

The log is cut just where the interesting part starts. It would be better if you store the log for the whole request as a file and attach it here

Jul 15 '25 13:07 primetomas

Also, can you say how you submit the SCEP request, is it some SCEP client like sscep or you own code?

Jul 15 '25 13:07 primetomas

Oh, and even better, configure with application debug logging (see the dockerhub documentation) enabled, it will tell you a lot more.

Jul 15 '25 13:07 primetomas

The log was truncated, but I will try to configure debug logging in docker.

Jul 15 '25 14:07 bkstein

This all I could get with docker run ... -e LOG_LEVEL_APP=DEBUG ...

2025-07-15_EJBCA-Exception-Trace.txt

Jul 15 '25 14:07 bkstein

Also, can you say how you submit the SCEP request, is it some SCEP client like sscep or you own code?

We have our own application, which implements a SCEP client.

Jul 16 '25 05:07 bkstein

@primetomas I can provide a commandline version of our software including some python scripts and a README.md (!) for easily reproducing the problem. The tool is a binary, is that a problem? (We have it for Linux and Windows).

Jul 16 '25 07:07 bkstein

Sorry, I'm on vacation and can't debug your tool. Can you use one of the existing tools, jSCEP (as referenced as sample implementation by the SCEP spec) or sscep, which we know works (or Microsoft, Cisco, and other tested clients from https://docs.keyfactor.com/ejbca/latest/scep#id-(9.3.3)SCEP-Interoperability/TestedLibrariesandDevices. And see what's the difference in your client.

Looking at the error it fails to decode a definite length encoded ASN.1 sequence. Can it be that you use indefinite length encoding on your CMS message somewhere?

Jul 16 '25 07:07 primetomas

I'd like to point out, that I did not want you to debug our tool. This should only help you to reproduce the problem with minimal effort. (And of course, I don't expect you to do this in your vacation 🙂) The bug is definitely in EJBCA. It responds with an HTML message containing the Java exception info, when SCEP specifies a CMS/PKCS#7 message. This may never happen, regardless of any unusual tags, or settings in the SCEP message. And the stack trace shows, that our SCEP message is already dispatched internally by EJBCA. Which means, we use the correct URL. Finally, we encode everything in DER - no indefinite lengths (though CMS permits BER for most parts of the messages, but EJBCA is the only CA I know, that uses BER instead of DER).

Jul 16 '25 08:07 bkstein

Sorry it was bad stated by me, I didn’t think to debug your tool. What would be interesting is to see the difference between older working tools and this one to pinpoint what encoding difference you tool does.

Jul 16 '25 09:07 primetomas

Sorry it was bad stated by me, I didn’t think to debug your tool. What would be interesting is to see the difference between older working tools and this one to pinpoint what encoding difference you tool does.

I tried to do this this morning using (micromdm's scepclient), but I ran into a problem with EJBCA-CE: I set up the SCEP CA as RA, but I see an error in EJBCA's log:

2025-07-16 10:40:11,930+0000 WARN  [org.ejbca.core.protocol.scep.ScepMessageDispatcherSessionBean] (default task-9) SCEP RA mode is enabled, but not included in the community version of EJBCA. Unable to continue.

When I configure the SCEP CA in CA mode, get this error:

2025-07-16 10:43:31,942+0000 INFO  [org.ejbca.ui.web.protocol.ScepServlet] (default task-9) SCEP cert request for unknown CA ''.: The SCEP alias sceptest is in CA mode, the message parameter in the GET request is empty, and no default CA has been defined for SCEP. Either switch to RA mode, provide the name of the CA in the message, use an alias name mapping to a CA name, or specify the default CA using the scep.defaultca property.

What should I do?

Jul 16 '25 10:07 bkstein

Since EJBCA is multitennant that command need to indicate which CA cert chain is requested. This is done with ?message=caname (as optional in the spec). You can also rename the alias to be the same as the CA you want to return the chain for. There are some other options that I don’t remember right now. It’s documented here, https://docs.keyfactor.com/ejbca/latest/scep I see that the documentation doesn’t mention the alias name option, that the error message does. It’s a miss in the doc.

Jul 16 '25 12:07 primetomas

PS: I guess you don’t have any other option than to use SCEP? It’s very legacy and lack many options of better protocols (like decent EC support or future PQC support).

Jul 16 '25 12:07 primetomas

PS: I guess you don’t have any other option than to use SCEP? It’s very legacy and lack many options of better protocols (like decent EC support or future PQC support).

Right! We have implemented a service, that gets certificates from CAs and speaks ACME and SCEP. I need a SCEP reply sample from EJBCA for testing purposes. We want to make sure, we support EJBCA.

Jul 16 '25 13:07 bkstein

Hi @bkstein. Now I'm back and added your message to our messages Junit parse test that has messages today from Cisco, OpenSCEP, SimpleScep, JavaScep and Microsoft Intune (many other clients like Juniper and lots of other devices are tested but not part of my JUnit test).

The message above now I can see fails on parsing IssuerAndSerialNumber of the RecipientIdentifier in the EnvelopedData. In your message this differs from the others. It's expecting a: IssuerAndSerialNumber ::= SEQUENCE { issuer Name, serialNumber CertificateSerialNumber }

In CMS it's: RecipientIdentifier ::= CHOICE { issuerAndSerialNumber IssuerAndSerialNumber, subjectKeyIdentifier [0] SubjectKeyIdentifier }

So I see that you went for the SubjectKeyIdentifier. While this is a correct CMS message, it's different from what the other clients use. I would try to argue that IssuerAndSerialNumber is a better choice, would it be possible that you use that? It's easier to identify the target CA/RA in a PKI system with a certificate than a key identifier.

Aug 04 '25 16:08 primetomas

Hi Tomas, thanks for looking into this again. We have a flag in our software for deciding, which RecipientIndentifier to use. We actually try to enroll with use_issuer_and_serial_for_recipient_identifier=true first and if this fails we retry with use_issuer_and_serial_for_recipient_identifier=false. But I will investigate this the next days.

Aug 05 '25 05:08 bkstein

Any update in this issue @bkstein ?

Sep 25 '25 11:09 primetomas

I'm sorry, other work pushed this issue aside. But I'm still interested in this and I created an internal ticket for me so I won't forget it. Can we leave this issue open for a while?

Sep 25 '25 12:09 bkstein

Sure

Sep 25 '25 13:09 primetomas

[BUG] exception on processing certain SCEP messages

Exception in EJBCA when SCEP Request is sent

SCEP enroll message (Signed PKCS7):

Response body

Error Log in EJBCA-CE Docker