scep icon indicating copy to clipboard operation
scep copied to clipboard

Published 20 hours ago verified publisher icon micromdm

Renew Certificate from Windows NDES get pkcs7 failure

Open jmccanta opened this issue 4 years ago • 2 comments

I can get a certiifcate against a Windows NDES server (with one-time passords) using:

scepclient-linux-amd64 -server-url https://ndes.example.com/certsrv/mscep/mscep.dll/pkiclient.exe -private-key $PWD/local.key -certificate $PWD/me2.crt -debug -cn $(hostname -f) -country US -locality Seattle -organization 'example' -province 'Washington' -ca-fingerprint '71AC3A84 DAAEC5B5 FDDCCD64 3ED6B79D' --challenge 48D232ED9EEC123D

level=info ts=2020-06-11T20:37:14.727792055Z op=GetCACaps error=null took=99.697799ms level=info ts=2020-06-11T20:37:14.729678491Z op=GetCACert error=null took=1.279554ms level=debug ts=2020-06-11T20:37:14.731517079Z msg="creating SCEP CSR request" transaction_id="jCIbi0V+hiEl/uLYzr68kLGiuhg=" encryption_algorithm=0 signer_cn="SCEP SIGNER" level=info ts=2020-06-11T20:37:15.95198212Z op=PKIOperation error=null took=1.215625539s level=debug ts=2020-06-11T20:37:15.952513694Z msg="parsed scep pkiMessage" scep_message_type="CertRep (3)" transaction_id="jCIbi0V+hiEl/uLYzr68kLGiuhg=" level=info ts=2020-06-11T20:37:15.952759392Z pkiStatus=SUCCESS msg="server returned a certificate." level=debug ts=2020-06-11T20:37:15.95642968Z msg="decrypt pkiEnvelope" encryption_algorithm=0 ca_certs=1

However, I am unable to renew this certificate. I have tried:

scepclient-linux-amd64 -server-url https://ndes.example.com/certsrv/mscep/mscep.dll/pkiclient.exe -private-key $PWD/local.key -certificate $PWD/me2.crt -debug

level=info ts=2020-06-11T21:08:35.700322832Z op=GetCACaps error=null took=92.573801ms level=info ts=2020-06-11T21:08:35.70202669Z op=GetCACert error=null took=1.277553ms level=debug ts=2020-06-11T21:08:35.703805224Z msg="creating SCEP CSR request" transaction_id="nEP02JHe3Qfool8yoh2EPb/MdEI=" encryption_algorithm=0 signer_cn=apache.example.com level=info ts=2020-06-11T21:08:35.713298966Z op=PKIOperation error=null took=5.958991ms level=debug ts=2020-06-11T21:08:35.713425167Z msg="parsed scep pkiMessage" scep_message_type="CertRep (3)" transaction_id="nEP02JHe3Qfool8yoh2EPb/MdEI=" RenewalReq (17) request failed, failInfo: badMessageCheck (1)

jmccanta avatar Jun 11 '20 21:06 jmccanta

badMessageCheck means the server didn't like the renewal request for whatever reason. The server is probably logging the actual reason for the failure, which would be useful in debugging here.

groob avatar Jun 11 '20 22:06 groob

@jmccanta were you able to get more information/logs from the NDES server?

jessepeterson avatar Mar 25 '21 21:03 jessepeterson