Technical Tip: Example of use of certmonger and FortiAuthenticator as SCEP server.

Markus_M · ‎11-04-2024

Description

This article describes an example use case for certmonger and the FortiAuthenticator as SCEP server. Note that certmonger is a third party tool and not endorsed by Fortinet. Its documentation can be found here:
https://www.freeipa.org/page/Documentation.html

Scope

FortiAuthenticator v6.6.2 and certmonger 0.79.14 as a base. Note that files and examples may well differ in other environments and may have to be adapted.

Solution

FortiAuthenticator as an SCEP server can sign CSRs and certificates. This example assumes the following prerequisites:

FortiAuthenticator has been set up with a proper web server certificate. This example additionally uses the CA capabilities of FortiAuthenticator, but this is not required.
SCEP client must have the server certificate available as a file (public key portion).
SCEP client must have the server certificates chain available as a file. That may not only include the CA root certificate, but all intermediates. Such a file may be generated by copying each certificate into a single file. First the root, then intermediates in order.

The FortiAuthenticator setup then has been done as follows:

SCEP interface settings

Note that those settings must be defined for either HTTP or HTTPS, it is not required to enable both SCEP services. HTTPS however is recommended for this FortiAuthenticator as an SCEP server.

A valid HTTPS webserver certificate must be selected.

This certificate and setting are highlighted as the same certificate must be present as a file on the client.

The following are the actual SCEP settings:

SCEP settings

The enrollment password can be defined freely and serves as a default, in case no other password is defined.

The enrollment requests have to be defined as a template and a client will have to match them based on the subject criterion selected.

In this example, a wildcard enrollment request is defined:

Wildcard enrollment template

These were the server settings, the following will show the client. As there are no settings to be set for running the client, but everything is included in the commands themselves, see to understand what the commands mean. To avoid previous tests, check for previous settings with the getcert command and its arguments list and list-cas:

# getcert list

Number of certificates and requests being tracked: 1.
Request ID '20241025084844':
       status: MONITORING
       stuck: no
       key pair storage: type=FILE,location='/home/markus/Downloads/9369871-SCEP/privkey6626.pem'
       certificate: type=FILE,location='/home/markus/Downloads/9369871-SCEP/public_key6626.crt'
       CA: remote_CA
       issuer: CN=CA_remote
       subject: CN=testscep6626
       issued: 2024-10-22 19:25:20 CEST
       expires: 2025-10-22 19:25:20 CEST
       email: markus@forti.lab
       key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
       eku: id-kp-serverAuth,id-kp-clientAuth
       pre-save command:
       post-save command:
       track: yes
       auto-renew: yes

# getcert list-cas
CA 'SelfSign':
       is-default: no
       ca-type: INTERNAL:SELF
       next-serial-number: 01
CA 'IPA':
       is-default: no
       ca-type: EXTERNAL
       helper-location: /usr/lib/certmonger/ipa-submit
CA 'dogtag-ipa-renew-agent':
       is-default: no
       ca-type: EXTERNAL
       helper-location: /usr/lib/certmonger/dogtag-ipa-renew-agent-submit
CA 'remote_CA':
       is-default: no
       ca-type: EXTERNAL
       helper-location: /usr/lib/certmonger/scep-submit -u https://remote.forti.lab/app/cert/scep/ -R /home/certclient/certs/remote-forti-lab.pem       -N /home/certclient/certs/FAC_CA.pem
A.crt
       SCEP CA certificate thumbprint (MD5): A53F3191 6272E485 7BA43283 B994264B
       SCEP CA certificate thumbprint (SHA1): 90EE3858 FA90F660 9602A317 1268A7E3 96EA2EC2

If so, remove the ones that have been left over from a test. Here, the remote_CA and certificate tracking request will be removed. They don't have to be removed, but it makes testing easier and if the private key has been re-used, the certificate tracking should be ended.

This will help on troubleshooting as well.

# getcert stop-tracking -i 20241025084844
Request "20241025084844" removed.
# getcert remove-ca -c remote_CA
CA "remote_CA" removed.

Creating a certificate is done in three steps:

Create a private key.
Create a CA link for certmonger. This will create GetCACaps/GetCACert requests to the FortiAuthenticator web server.
Create the certificate and have it signed.

Each step is broken down:

openssl genrsa -out privkey.pem 4096

This creates a private key file with 4096 bits in size in the current directory, and this is needed to create the certificate signing request:

getcert add-scep-ca -u https://remote.forti.lab/app/cert/scep/ -R /home/certclient/certs/remote-forti-lab.pem -c remote_CA -N /home/certclient/certs/FAC_CA.pem

-u require the link to the SCEP server: This is likely the same as above, but copy it from the general SCEP settings.

-R requires the path to the SCEP server web server certificate in case of using HTTPS (highly recommended).

-c will be the definable name to the CA that certmonger will use for tracking.

-N requires the path to the certificate chain of the web server setting. Public keys of the root CA, and intermediate CA(s) need to be in this file.

getcert request -k /home/certclient/certs/privkey.pem -f /home/certclient/certs/public_key.crt -c remote_CA -N communitySCEP -E markus@forti.lab -w -L fortinet

-k requires the private key created in step 1.

-f defines the path where the public key will be stored (as a result of a successful SCEP operation).

-c refers to the CA name, created in step 2).

-N is required to be the subject of the certificate to be signed. In wildcard templates, this will always match. In defined templates, it must match an existing template.

-E requires an email to the certificate.

-w lets getcert wait to obtain a certificate until the action is finished.

-L requires to be the enrollment templates password. Either the default, if chosen, or the randomly defined password.

The output of getcert list will then be:

# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20241104100104':
       status: MONITORING
       stuck: no
       key pair storage: type=FILE,location='/home/certclient/certs/privkey.pem'
       certificate: type=FILE,location='/home/certclient/certs/public_key.crt'
       signing request thumbprint (MD5): 106044B3 9FCA8F87 E3EC032F 5CBFF7A3
       signing request thumbprint (SHA1): 28ED3E5E 5768EEA7 0465BEBC DE313C2D 4BC8D4DD
       CA: remote_CA
       issuer: CN=CA_remote
       subject: CN=communitySCEP
       issued: 2024-11-04 11:01:07 CET
       expires: 2025-11-04 11:01:07 CET
       email: markus@forti.lab
       key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
       eku: id-kp-serverAuth,id-kp-clientAuth
       pre-save command:
       post-save command:
       track: yes
       auto-renew: yes

Troubleshooting can be done with the logs. However, often this will not give a clear hint as to why certmonger may fail. It is likely more a problem of reachability or that the getcert request was unable to find local files (there will not be an error on the command output). When the commands are executed, make sure to use tab for auto-completing the commands.

Logs are found in the general log section but starting FortiAuthenticator 6.6.2 also in the https://fac-ip/debug section, under SCEP. If the log is in debug mode, the logs will show what has been written.

For example, this is when the add-scep-ca was executed:

2024-11-04T11:00:58.451885+01:00 FAC scepd[9007]: scepd.cpp:146: operation = GetCACaps
2024-11-04T11:00:58.452117+01:00 FAC scepd[9007]: scepd.cpp:147: message = 0
2024-11-04T11:00:58.454859+01:00 FAC scepd[9008]: scepd.cpp:146: operation = GetCACert
2024-11-04T11:00:58.455043+01:00 FAC scepd[9008]: scepd.cpp:147: message = 0
2024-11-04T11:00:58.455432+01:00 FAC scepd[1537]: scepd.cpp:57: SCEP GetCACaps returned: Renewal
SHA-512
SHA-256
SHA-1
DES3
2024-11-04T11:00:58.455503+01:00 FAC scepd[1537]: mo_get_cacert.cpp:121: cert ID specified, getting CA cert db id for '0'
2024-11-04T11:00:58.458981+01:00 FAC scepd[1537]: mo_get_cacert.cpp:141: get cert db id failed for '0'
2024-11-04T11:00:58.459653+01:00 FAC scepd[1537]: mo_get_cacert.cpp:168: default CA cert ID is 1
2024-11-04T11:00:58.460362+01:00 FAC scepd[1537]: mo_get_cacert.cpp:200: Retrieved CA cert from DB:
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIIbGfRWzJGxPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AwwJQ0FfcmVtb3RlMB4XDTIzMDgyODE1MTMzOVoXDTMzMDgyNTE1MTMzOVowFDES
MBAGA1UEAwwJQ0FfcmVtb3RlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvzbwPbA8p1BQ1wPiCvtIKc6eHjsvc4iEmCslDgdR9T/rmlQ6JEk+XewhwauC
44wrk3lEg829fP08iAprhxUDTyfjHhWRuF5TntxxLYOM5Sha6fuuXTv22fMb1+KK
........
axs1mqy3CdY/ryWiEftfX+Dht+ndosDbrkZ5zlNZcMbXM5rKyzz/nyK0AcBBFH4E
9LPrM0wtnMbKGVRj/OLj3e7qbT1NTHAWZhxeymLmdlZlDoowdkiN0oeISqlcxeIS
wJqU3t9Ky9HlObz68wTy6x91Gr5h0ErfVHPpbShciB68GxdYN2h9wp/dd2ulZukF
YgHJsN1+AQFJXDdnVwyHm21ehwuYS2hONNnAWdlmnDiMtpXBclwEB1B6X1Ie2tPV
qOMYWw==
-----END CERTIFICATE-----

2024-11-04T11:00:58.461013+01:00 FAC scepd[1537]: mo_get_cacert.cpp:227: got CA cert from db: /CN=CA_remote
2024-11-04T11:00:58.461023+01:00 FAC scepd[1537]: mo_get_cacert.cpp:238: DER-encoded cert size is 820 bytes
2024-11-04T11:00:58.509317+01:00 FAC scepd[9010]: scepd.cpp:146: operation = GetCACert
2024-11-04T11:00:58.509429+01:00 FAC scepd[9010]: scepd.cpp:147: message = 1
2024-11-04T11:00:58.513601+01:00 FAC scepd[1537]: mo_get_cacert.cpp:121: cert ID specified, getting CA cert db id for '1'
2024-11-04T11:00:58.516876+01:00 FAC scepd[1537]: mo_get_cacert.cpp:141: get cert db id failed for '1'
2024-11-04T11:00:58.518078+01:00 FAC scepd[1537]: mo_get_cacert.cpp:168: default CA cert ID is 1
2024-11-04T11:00:58.519141+01:00 FAC scepd[1537]: mo_get_cacert.cpp:200: Retrieved CA cert from DB:
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIIbGfRWzJGxPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AwwJQ0FfcmVtb3RlMB4XDTIzMDgyODE1MTMzOVoXDTMzMDgyNTE1MTMzOVowFDES
MBAGA1UEAwwJQ0FfcmVtb3RlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
........
9LPrM0wtnMbKGVRj/OLj3e7qbT1NTHAWZhxeymLmdlZlDoowdkiN0oeISqlcxeIS
wJqU3t9Ky9HlObz68wTy6x91Gr5h0ErfVHPpbShciB68GxdYN2h9wp/dd2ulZukF
YgHJsN1+AQFJXDdnVwyHm21ehwuYS2hONNnAWdlmnDiMtpXBclwEB1B6X1Ie2tPV
qOMYWw==
-----END CERTIFICATE-----

2024-11-04T11:00:58.519578+01:00 FAC scepd[1537]: mo_get_cacert.cpp:227: got CA cert from db: /CN=CA_remote
2024-11-04T11:00:58.519588+01:00 FAC scepd[1537]: mo_get_cacert.cpp:238: DER-encoded cert size is 820 bytes
2024-11-04T11:01:04.359039+01:00 FAC scepd[9037]: scepd.cpp:146: operation = GetCACaps
2024-11-04T11:01:04.359345+01:00 FAC scepd[9037]: scepd.cpp:147: message = 0
2024-11-04T11:01:04.365603+01:00 FAC scepd[1537]: scepd.cpp:57: SCEP GetCACaps returned: Renewal
SHA-512
SHA-256
SHA-1
DES3
2024-11-04T11:01:04.434446+01:00 FAC scepd[9039]: scepd.cpp:146: operation = PKIOperation

This is the actual certificate exchange to the client:

2024-11-04T11:01:04.434665+01:00 FAC scepd[9039]: scepd.cpp:147: message = MIIPBAYJKoZIhvcNAQcCoIIO9TCCDvECAQExDzANBglghkgBZQMEAgEFADCCBp4GCSqGSIb3DQEHAaCCBo8EggaLMIIGhwYJKoZIhvcNAQcDoIIGeDCCBnQCAQAxggE8MIIBOAIBADAgMBQxEjAQBgNVBAMMCUNBX3JlbW90ZQIIbGfRWzJGxPcwDQYJKoZIhvcNAQEBBQAEggEAUinLcFaklag0bngeBUhUFSkb6yg55cMFmNJCSf9tOzK5hBz81smiN8/sSy5963bo+Kk/P8c8qi318CLUHa56eJO+XSfG3hXiWZbrWpGHV2uXn6VwIMAlYMEzYQ0buh5JhLz9bylBc7n0fewQA0qiGIqI4g2yJCKXfukwp6u63VaGuwb2itWYMi42hJ5Xg+S0WRewpBFrSrwRN1DdA53SHWw6uSInXtzUMjuL

........

W/UvUxvSqiRgM2f7bAVwwWBDDRngKc//zUgL06AHVvmxBKSfLWD+Yg8cdvgUX9EylJiqbo1Hxv73ecse0jcQPBEypjwMALDzkjSoo3ljw8SaRT10TRaNXQdOe9h7ik5AHoO+9F7N+pbb/gQHD1HKvLeS6JGP7d+U3rtTZ9HBylOTJFpwzrWga22dOVdDCjr2+xXFrW0StZ/dNX7xguuPZLZFXZHULIJlceErVhMmxZ1dzya9uHTH587NVpzkDLwXke/OMw1Rtf9X6vwaqaZsvk8b2g4zYHEZeCiiicta71wU2gTRWrb4EtS/03ftikpfO09jT+tbq1EfVKcLKvyRNCspfAOMRky2K05nMAn6OTNE74Wfg/VvTU4FdurCnt607/DDJdonBHcjWFqBHtBX5uimpXV7s[...]
2024-11-04T11:01:04.439543+01:00 FAC scepd[1537]: mo_handle_pki_op.cpp:154: got 5132 bytes of message
2024-11-04T11:01:04.439749+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:113: made a copy of the payload 5132 bytes
2024-11-04T11:01:04.439759+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:152: prepending Base64 decoder
2024-11-04T11:01:04.439995+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:172: decoded data at (nil): 0 bytes
2024-11-04T11:01:04.440009+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:119: decoded data is empty, try to base64 decode data with no newlines
2024-11-04T11:01:04.440017+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:152: prepending Base64 decoder
2024-11-04T11:01:04.440032+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:167: chunk of 1024 bytes
2024-11-04T11:01:04.440045+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:167: chunk of 1024 bytes
2024-11-04T11:01:04.440057+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:167: chunk of 1024 bytes
2024-11-04T11:01:04.440077+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:167: chunk of 776 bytes
2024-11-04T11:01:04.440086+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:172: decoded data at 0x5646a8139df0: 3848 bytes
2024-11-04T11:01:04.441060+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:131: received message is signed
2024-11-04T11:01:04.441922+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:266: got 1675 bytes of enveloped data
2024-11-04T11:01:04.441930+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:293: found exactly one signer: good
2024-11-04T11:01:04.441949+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:231: issuer of signer /CN=communitySCEP
2024-11-04T11:01:04.441954+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:233: subject of signer: /CN=communitySCEP
2024-11-04T11:01:04.441959+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:309: preparing cert store for signature verification
2024-11-04T11:01:04.441963+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:310: working with signer @0x5646a810c340
2024-11-04T11:01:04.441969+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:317: verify against selfsigned cert 0x5646a810c340
2024-11-04T11:01:04.441974+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:332: certificate (@0x5646a810c340) for '/CN=communitySCEP' added to store
2024-11-04T11:01:04.441978+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:342: verifying signature
2024-11-04T11:01:04.442297+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:351: signature verfied OK
2024-11-04T11:01:04.442405+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.2 for name messageType
2024-11-04T11:01:04.442463+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.3 for name pkiStatus
2024-11-04T11:01:04.442491+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.4 for name failInfo
2024-11-04T11:01:04.442526+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.5 for name senderNonce
2024-11-04T11:01:04.442560+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.6 for name recipientNonce
2024-11-04T11:01:04.442584+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.7 for name transId
2024-11-04T11:01:04.442606+01:00 FAC scepd[1537]: x509_attr_stack.cpp:78: added oid 2.16.840.1.113733.1.9.8 for name extensionReq
2024-11-04T11:01:04.442627+01:00 FAC scepd[1537]: get_attribute: finding attribute transId
2024-11-04T11:01:04.442652+01:00 FAC scepd[1537]: get_signed_attribute: allocating 77 bytes for attribute
2024-11-04T11:01:04.442723+01:00 FAC scepd[1537]: transId: 55849671477617397493339672734883587704383098097257695772391268891138853581169
2024-11-04T11:01:04.442757+01:00 FAC scepd[1537]: get_attribute: finding attribute messageType
2024-11-04T11:01:04.442777+01:00 FAC scepd[1537]: get_signed_attribute: allocating 2 bytes for attribute
2024-11-04T11:01:04.442795+01:00 FAC scepd[1537]: messageType: 19
2024-11-04T11:01:04.442821+01:00 FAC scepd[1537]: get_attribute: finding attribute senderNonce
2024-11-04T11:01:04.442847+01:00 FAC scepd[1537]: get_signed_attribute: allocating 16 bytes for attribute
2024-11-04T11:01:04.442866+01:00 FAC scepd[1537]: extract_signed_attributes: senderNonce in request:
2024-11-04T11:01:04.442891+01:00 FAC scepd[1537]: 0976046C8925CA781F69E4E843306D7B
2024-11-04T11:01:04.442909+01:00 FAC scepd[1537]:
2024-11-04T11:01:04.442933+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:398: working on inner pkcs#7
2024-11-04T11:01:04.443004+01:00 FAC scepd[1537]: utils.cpp:330: looking for a matching CA
2024-11-04T11:01:04.470186+01:00 FAC scepd[1537]: utils.cpp:349: CA (ID=2) subject /CN=testCA
2024-11-04T11:01:04.470492+01:00 FAC scepd[1537]: utils.cpp:349: CA (ID=1) subject /CN=CA_remote
2024-11-04T11:01:04.474048+01:00 FAC scepd[1537]: utils.cpp:378: found matching CA to decrypt (ID: 1): /CN=CA_remote
2024-11-04T11:01:04.474173+01:00 FAC scepd[1537]: CA X509 content:
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIIbGfRWzJGxPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AwwJQ0FfcmVtb3RlMB4XDTIzMDgyODE1MTMzOVoXDTMzMDgyNTE1MTMzOVowFDES
MBAGA1UEAwwJQ0FfcmVtb3RlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

........
wJqU3t9Ky9HlObz68wTy6x91Gr5h0ErfVHPpbShciB68GxdYN2h9wp/dd2ulZukF
YgHJsN1+AQFJXDdnVwyHm21ehwuYS2hONNnAWdlmnDiMtpXBclwEB1B6X1Ie2tPV
qOMYWw==
-----END CERTIFICATE-----

2024-11-04T11:01:04.474219+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:212: got 1283 bytes of decrypted data
2024-11-04T11:01:04.474248+01:00 FAC scepd[1537]: mo_pkcs7unwrap.cpp:448: decoding X509_REQ
2024-11-04T11:01:04.474754+01:00 FAC scepd[1537]: mo_handle_pki_op.cpp:185: message with transaction id 55849671477617397493339672734883587704383098097257695772391268891138853581169
2024-11-04T11:01:04.474818+01:00 FAC scepd[1537]: mo_handle_pki_op.cpp:186: sender is /CN=communitySCEP
2024-11-04T11:01:04.474898+01:00 FAC scepd[1537]: mo_handle_pki_op.cpp:210: PKCSReq message received
2024-11-04T11:01:04.475033+01:00 FAC scepd[1537]: mo_enroll.cpp:580: handling PKCSReq message
2024-11-04T11:01:04.477051+01:00 FAC scepd[1537]: mo_get_enrollments.cpp:77: there are 0 pending enrollment(s)
2024-11-04T11:01:04.479578+01:00 FAC scepd[1537]: mo_get_enrollments.cpp:273: there are 0 revoked enrollment(s) that are eligible for renewal
2024-11-04T11:01:04.481730+01:00 FAC scepd[1537]: mo_get_enrollments.cpp:209: there are 0 approved enrollment(s) that are eligible for renewal
2024-11-04T11:01:04.482099+01:00 FAC scepd[1537]: mo_get_enrollments.cpp:177: there are 1 pending wildcard enrollment(s)
2024-11-04T11:01:04.482112+01:00 FAC scepd[1537]: mo_get_enrollments.cpp:433: checking pending wildcard enroll req (id=6) subject:
2024-11-04T11:01:04.482119+01:00 FAC scepd[1537]: mo_get_enrollments.cpp:438: found matching subject (id=6)
2024-11-04T11:01:04.482128+01:00 FAC scepd[1537]: mo_enroll.cpp:400: checking for wildcard enrollment requests
2024-11-04T11:01:04.482138+01:00 FAC scepd[1537]: utils.cpp:401: getting challenge password from X.509 request 0x5646a81334f0
2024-11-04T11:01:04.482148+01:00 FAC scepd[1537]: utils.cpp:405: 3 attributes found
2024-11-04T11:01:04.482158+01:00 FAC scepd[1537]: utils.cpp:414: challengePassword at offset 0
2024-11-04T11:01:04.482167+01:00 FAC scepd[1537]: utils.cpp:426: type of challengePassword is 19
2024-11-04T11:01:04.482178+01:00 FAC scepd[1537]: utils.cpp:441: challenge Password 'fortinet'
2024-11-04T11:01:04.482186+01:00 FAC scepd[1537]: mo_enroll.cpp:145: client CSR subject: /CN=communitySCEP
2024-11-04T11:01:04.482199+01:00 FAC scepd[1537]: mo_enroll.cpp:130: checking enroll req (id=6) subject: NO X509_NAME
2024-11-04T11:01:04.482394+01:00 FAC scepd[1537]: mo_enroll.cpp:163: challenge pwd validated with (id=6)
2024-11-04T11:01:04.482417+01:00 FAC scepd[1537]: mo_enroll.cpp:514: automatic enrollment
2024-11-04T11:01:04.482823+01:00 FAC scepd[1537]: semaphore.cpp:226: Connecting to memcached
2024-11-04T11:01:04.483623+01:00 FAC scepd[1537]: semaphore.cpp:171: Adding initial semaphore (pid: 1537)
2024-11-04T11:01:04.483883+01:00 FAC scepd[1537]: mo_sign_request.cpp:163: a temp file /tmp/cmp/x509req.yQ1qvv created to write x509 request
2024-11-04T11:01:04.484050+01:00 FAC scepd[1537]: mo_sign_request.cpp:512: running command to sign request with args:
2024-11-04T11:01:04.484062+01:00 FAC scepd[1537]: cmd args: python /var/www/fac/manage.pyc sign_x509_req --id=6 --trans-id=55849671477617397493339672734883587704383098097257695772391268891138853581169 --x509-req=/tmp/cmp/x509req.yQ1qvv --renewal=0 --subject=/CN=communitySCEP
2024-11-04T11:01:07.887316+01:00 FAC scepd[1537]: mo_sign_request.cpp:535: successfully signed certificate request for transaction 55849671477617397493339672734883587704383098097257695772391268891138853581169
2024-11-04T11:01:07.887449+01:00 FAC scepd[1537]: semaphore.cpp:312: Releasing semaphore (pid: 1537, remaining: 0)
2024-11-04T11:01:07.889079+01:00 FAC scepd[1537]: db_utils.cpp:265: Retrieved client cert from DB:
-----BEGIN CERTIFICATE-----
MIIEbjCCA1agAwIBAgIJAL19Xh+5e3tKMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAMMCUNBX3JlbW90ZTAeFw0yNDExMDQxMDAxMDdaFw0yNTExMDQxMDAxMDdaMBgx
FjAUBgNVBAMTDWNvbW11bml0eVNDRVAwggIiMA0GCS...
2024-11-04T11:01:07.889464+01:00 FAC scepd[1537]: mo_handle_pki_op.cpp:244: reply prepared, encoding follows
2024-11-04T11:01:07.889475+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:147: using selfsigned cert for encryption (0x5646a810c340)
2024-11-04T11:01:07.889479+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:149: using CA cert for signature
2024-11-04T11:01:07.889483+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:156: encrypting for '/CN=communitySCEP'
2024-11-04T11:01:07.889490+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:159: writing a message of type CertRep, status SUCCESS
2024-11-04T11:01:07.889505+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:57: payload to encrypt: 2009 bytes
2024-11-04T11:01:07.889510+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:184: added recipient certificate for /CN=communitySCEP at 0x5646a810c340
2024-11-04T11:01:07.889997+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:199: data encrypted
2024-11-04T11:01:07.890023+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:246: PKCS#7 type and content set up
2024-11-04T11:01:07.890040+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:254: sender signature added
2024-11-04T11:01:07.890061+01:00 FAC scepd[1537]: build_reply: adding signed attributes
2024-11-04T11:01:07.890066+01:00 FAC scepd[1537]: add_string: adding string attribute transId
2024-11-04T11:01:07.890073+01:00 FAC scepd[1537]: add_string: adding string attribute messageType
2024-11-04T11:01:07.890077+01:00 FAC scepd[1537]: add_string: adding string attribute pkiStatus
2024-11-04T11:01:07.890081+01:00 FAC scepd[1537]: add_octets: adding octet attribute senderNonce
2024-11-04T11:01:07.890085+01:00 FAC scepd[1537]: add_octets: adding octet attribute recipientNonce
2024-11-04T11:01:07.890099+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:288: all authenticated attributes added
2024-11-04T11:01:07.890913+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:296: signature finalized
2024-11-04T11:01:07.890950+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:87: encoded bytes: 5340
2024-11-04T11:01:07.891545+01:00 FAC scepd[1537]: mo_pkcs7wrap.cpp:102: encode(3) completes successfully
2024-11-04T11:01:07.891557+01:00 FAC scepd[1537]: mo_handle_pki_op.cpp:272: preparing reply headers

Related article:
SSL/TLS and the use of Digital Certificates

Technical Tip: Example of use of certmonger and FortiAuthenticator as SCEP server.

Description

Scope

Solution

You are leaving our website