CA Identifier switch -i not functional?
MorgusLethe opened this issue · 1 comments
Expectation: adding -i switch will tell the CA server which CA I want to work with
Issue: -i switch does nothing (does not change the GET request that sscep makes)
Details:
I am trying to query my CA server of its SCEP capabilites by using sscep getcaps -u http://[redacted]/ejbca/publicweb/apply/scep/pkiclient.exe. This does not work, adding the -v switch reveals why: the CA server does not know which CA's information I want. It says that I should add the message parameter to identify the CA to use. I suppose that the -i switch called CA Identifier in the README of sscep should do that, but it did not work.
I inspected the network packet with Wireshark, and using -i does not add anything to the URL. Here is an image:
If I make the following manual GET request using curl AND MAKE SURE THAT I AM ADDING THE MESSAGE PARAMETER: curl -X GET "http:[redacted]/ejbca/publicweb/apply/scep/pkiclient.exe?operation=GetCACaps&message=[redacted]" , the server correctly returns capabilites:
POSTPKIOperation
Renewal
SHA-512
SHA-256
SHA-1
DES3%
Am I misunderstanding the function of the -i switch? How do I tell sscep to identify the CA to work with?
Thank you!
I did some more tests and realized that the -i switch does work with the enroll operation. Even though the enroll operation also uses the getcaps operation (which fails in my case), the next steps work correctly and I have successfully generated a certificate. Since it used the information in the -i switch, I assume it works correctly. Thx for this software! Closing.