Test of Develop Issuing CA alias

Question

Test of Develop Issuing CA alias

Closed this issue 4 years ago · 11 comments

@gotthardp, not sure if you received notifications to #111 testing output? I attached observations to that thread which is closed.

Testing was partially successful, where the difficult stuff works:-) , but the i'm experiencing a variable truncation issue.

Regards
Nigel

Answer 1 · 2020-11-05T11:48:45.000Z

Thanks, Nigel! I saw it, but I forgot to respond, sorry.

Answer 2 · 2020-11-07T10:22:57.000Z

Hi again, it should be fixed now.

Answer 3 · 2020-11-07T10:29:57.000Z

Concerning the other issue your mentioned, GetCACaps: it is meant to be automatic. The capabilities are queried before every request to automatically select the right options to use. Right now it is used only to decide between GET and POST, but it could be extended also to select the algorithms, etc.

Answer 4 · 2020-11-08T17:31:34.000Z

@gotthardp Just to confirm fix was successful. I just retested on CentOS 8 the GET method transaction (GetCACaps, GetCA, PKIOperation{PKCSReq, CertPoll}). For your knowledge, these requests are against the same [ VeriSign | Symantec | DigiCert ] OnSite Processing Centre, indicated on the README.md.

I will investigate both the extension of this legacy capabiilty, and the emerging next generation SCEP capability.

Thanks

Nigel

Answer 5 · 2020-11-08T17:40:13.000Z

@gotthardp, WRT comment of GetCACaps could be used to select algorithms, this is something I do today. Essentially, I write the response to file, and parse the values into system variables. These variables are used on the sscep command line.

I hope this is useful information.

Regards
Nigel

Answer 6 · 2020-11-08T18:22:50.000Z

And you obtain the GetCACaps values via some other tool, or you made a patch, or how?

Answer 7 · 2020-11-08T18:56:09.000Z

You are correct, some other tool. either:

wget ${SCEP_RESPONDER}"?operations=GetCACaps""&message="${IssuingCA_Identifier} -O ${CACAPS}, or
wget ${SCEP_RESPONDER}"?operations=GetCACaps" -O ${CACAPS}

I then pull the values from the output file.

Answer 8 · 2020-11-09T09:00:19.000Z

BTW, the GetCACaps operation works, it is just "misdocumented" it uses the "getcaps" name instead of "getcacaps".

user@server:~/projects/sscep$ ./sscep getcaps -u http://192.168.1.1/scep
./sscep: scep capabilities: DES3, POSTPKIOperation, Renewal, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

Answer 9 · 2020-11-09T09:17:22.000Z

Thanks.

I checked the same yesterday, with similar confirmation. I also need to to talk to our platform operators regards what happens backend regards the impact of the missing "...message=${IssuingCA_Identifier}..."?

I do understand the SSCEP implementation reflects the the RFC8894.

Answer 10 · 2020-11-09T09:21:34.000Z

Well, the SSCEP implementation has been made by a lot of people through the years, so it may not always reflect the latest RFC. When it does not reflect the RFC 8894, or when its operation is causing some troubles, please open an issue for that.

Answer 11 · 2020-12-04T15:42:03.000Z

The variable truncation has been addressed in 0f7b175.