Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Renew Certificate from Windows NDES get pkcs7 failure #108

Open
jmccanta opened this issue Jun 11, 2020 · 2 comments
Open

Renew Certificate from Windows NDES get pkcs7 failure #108

jmccanta opened this issue Jun 11, 2020 · 2 comments
Labels
needs-info

Comments

@jmccanta
Copy link

I can get a certiifcate against a Windows NDES server (with one-time passords) using:

scepclient-linux-amd64 -server-url https://ndes.example.com/certsrv/mscep/mscep.dll/pkiclient.exe -private-key $PWD/local.key -certificate $PWD/me2.crt -debug -cn $(hostname -f) -country US -locality Seattle -organization 'example' -province 'Washington' -ca-fingerprint '71AC3A84 DAAEC5B5 FDDCCD64 3ED6B79D' --challenge 48D232ED9EEC123D

level=info ts=2020-06-11T20:37:14.727792055Z op=GetCACaps error=null took=99.697799ms
level=info ts=2020-06-11T20:37:14.729678491Z op=GetCACert error=null took=1.279554ms
level=debug ts=2020-06-11T20:37:14.731517079Z msg="creating SCEP CSR request" transaction_id="jCIbi0V+hiEl/uLYzr68kLGiuhg=" encryption_algorithm=0 signer_cn="SCEP SIGNER"
level=info ts=2020-06-11T20:37:15.95198212Z op=PKIOperation error=null took=1.215625539s
level=debug ts=2020-06-11T20:37:15.952513694Z msg="parsed scep pkiMessage" scep_message_type="CertRep (3)" transaction_id="jCIbi0V+hiEl/uLYzr68kLGiuhg="
level=info ts=2020-06-11T20:37:15.952759392Z pkiStatus=SUCCESS msg="server returned a certificate."
level=debug ts=2020-06-11T20:37:15.95642968Z msg="decrypt pkiEnvelope" encryption_algorithm=0 ca_certs=1

However, I am unable to renew this certificate. I have tried:

scepclient-linux-amd64 -server-url https://ndes.example.com/certsrv/mscep/mscep.dll/pkiclient.exe -private-key $PWD/local.key -certificate $PWD/me2.crt -debug

level=info ts=2020-06-11T21:08:35.700322832Z op=GetCACaps error=null took=92.573801ms
level=info ts=2020-06-11T21:08:35.70202669Z op=GetCACert error=null took=1.277553ms
level=debug ts=2020-06-11T21:08:35.703805224Z msg="creating SCEP CSR request" transaction_id="nEP02JHe3Qfool8yoh2EPb/MdEI=" encryption_algorithm=0 signer_cn=apache.example.com
level=info ts=2020-06-11T21:08:35.713298966Z op=PKIOperation error=null took=5.958991ms
level=debug ts=2020-06-11T21:08:35.713425167Z msg="parsed scep pkiMessage" scep_message_type="CertRep (3)" transaction_id="nEP02JHe3Qfool8yoh2EPb/MdEI="
RenewalReq (17) request failed, failInfo: badMessageCheck (1)
@groob
Copy link
Member

groob commented Jun 11, 2020

badMessageCheck means the server didn't like the renewal request for whatever reason. The server is probably logging the actual reason for the failure, which would be useful in debugging here.

@jessepeterson
Copy link
Member

@jmccanta were you able to get more information/logs from the NDES server?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jessepeterson @groob @jmccanta