Can't decipher errors
Flyslinger2 opened this issue · 0 comments
Errors:
msigsbee/PKI/SSCepClient/sscep# sscep enroll -f ./sscep.cnf
sscep: error while reading private key /home/msigsbee/PKI/Ubuntu20.key
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep name=CAIdentifier
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep name=EncAlgorithm
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep name=Proxy
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep name=MonitorInformation
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=SignKeyFile
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=SignCertFile
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=EncCertFile
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=SelfSignedFile
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=PollInterval
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=MaxPollTime
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=MaxPollCount
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep_enroll name=Resume
40870699A67F0000:error:0700006C:configuration file routines:NCONF_get_string:no value:../crypto/conf/conf_lib.c:315:group=sscep name=engine
40870699A67F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:../crypto/encode_decode/decoder_lib.c:101:No supported data to decode. Input type: PEM
My .cnf file:
sscep.conf -- configuration file for SSCEP
All configuration options are key-value pairs, grouped into sections:
[section]
Key = Value
Quotation marks are optional - they are needed only if the value contains
space characters (space or tab). Quotation marks inside the value string
must be escaped using a backslash:
Key = "Value "containing quotation marks""
Comment lines (lines starting with '#') and empty lines are discarded.
sscep is the default section. Do not alter its name
[sscep]
Reference to an engine definition section (see below)
Uncomment to use the defined engine instead of the filesystem.
engine = sscep_engine
SCEP server URL
URL = https://cep1.contoso.local/certsrv/mscep/mscep.dll/pkiclient.exe
URL = http://localhost/cgi-bin/pkiclient.exe
Use proxy server at host:port
Proxy = localhost:8080
URL = http://cep1.contoso.local/certsrv/mscep/mscep.dll/pkiclient.exe
CA certificate file (write if OPERATION is getca)
CACertFile = ca.crt-3
PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256)
EncAlgorithm = 3des
PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512)
SigAlgorithm = sha512
Note: this could be very misleading, the SCEP standard provides no
mechanism to "negotiate" the algorithm - even if you send 3des, reply
might be des.
Verbose operation (true|false)
Verbose = false
Debug (even more verbose operation)
Debug = false
[sscep_engine]
Engine definition. It can have any name, as long as the name is referenced
by the "engine" option in the [sscep] section.
The parameter engine_id is mandatory.
Engine ID. The engine will use the OpenSSL's engine interface.
Supported engines are:
- Any installed OpenSSL engine (e.g. tpm2tss)
- capi (Microsoft CryptoAPI)
- dynamic (loaded via dynamic_path)
engine_id = capi
If the engine needs to be loaded dynamically, specify the path to the SO file here.
It is possible to provide paths relative to the sscep binary
Note: On Windows use double slashes, see example
Note: You HAVE to specify this unless you know it will be found otherwise. On
Windows this can lead to problems since OpenSSL is often compiled with a Unix-
Search-Path. In this case this can't be omitted at all.
dynamic_path = ..\capi\capi.dll
Some Engines require an additional module (take PKCS#11 interface for example)
For these engines you can specify an additional module path here
Note: On Windows use double slashes, see "dynamic_path" option
MODULE_PATH =
Special Options for engines are defined in their corresponding
sections, always named [sscep_engine_*] where * is the defined
engine id. You can see currently supported special options in
each of these sections. If a section does not exist, it does
not mean the engine is not supported, there are just no special
options avaiable for it.
[sscep_engine_capi]
This section defines CryptoAPI specific settings
Only if the [engine]-section's engine_id is set to capi, this will be loaded,
otherwise it will be ignored.
Specific CryptoAPI option: Set this option to whatever
location your newly generated key will reside in.
In case of certreq creating your key, it will be in REQUEST.
new_key_location = /home/msigsbee/PKI/
Which store should be used for all operations.
The basic layout is storelocation\storename, e.g.
LOCAL_MACHINE\MY and LOCAL_MACHINE\REQUEST
The following options are accepted here:
CURRENT_USER - default option, user store
LOCAL_MACHINE - system store
storelocation = LOCAL_MACHINE
[sscep_engine_jksengine]
This section defines JKSEngine specific settings
Only if engine_id is set to "JKSEngine" this will be loaded, otherwise ignored.
Password of Java KeyStore (Default: 123456)
See JKSEngine for further documentation
KeyStorePass =
Path of Java tool (Path to ConnJKSEngine)
JavaConnectorPath =
Java Cryptography Provider of used Keystore
KeyStoreProvider =
Path of Java Runtime Environment
This is normally not necessary
JavaPath =
[sscep_getca]
Options for retrieving CA Certificates (operation getca)
CA identifier string, required by some CA
CAIdentifier = SubCa1.Contoso.Local\SubCa1
Fingerprint algorithm (md5|sha1|sha224|sha256|sha384|sha512)
FingerPrint = md5
FingerPrint = sha256
[sscep_enroll]
Operation for Certificate Enrollment (see SCEP documentation for details)
Private key file
PrivateKeyFile = local.key
PrivateKeyFile = /home/msigsbee/PKI/Ubuntu20.key
Certificate request file
CertReqFile = local.csr
CertReqFile = /home/msigsbee/PKI/Ubuntu20.der
Signature private key file, use with SignCertFile
SignKeyFile = previous.key
Signature certificate (used instead of self-signed)
SignCertFile = previous.crt
Write enrolled certificate in file
LocalCertFile = local.crt
LocalCertFile = /home/msigsbee/PKI/Ubuntu2.crt
Use different CA cert for encryption
EncCertFile = enc.crt
Write selfsigned certificate in file
SelfSignedFile = selfsigned.crt
Polling interval for pending certificate (seconds)
PollInterval = 60
Maximum polling time (seconds)
MaxPollTime = 28800
Max number of GetCertInitial requests
MaxPollCount = 256
Resume interrupted enrollment (true|false)
Resume =
[sscep_getcert]
Private key file
PrivateKeyFile = local.key
Local certificate file
LocalCertFile = local.crt
Certificate serial number (decimal)
GetCertSerial = 1
Write certificate in file
GetCertFile = cert.crt
[sscep_getcrl]
Private key file
PrivateKeyFile = local.key
Local certificate file
LocalCertFile = local.crt
Write CRL in file
GetCrlFile = crl.crl
[sscep_getnextca]
#NYI
[req]
prompt = no
distinguished_name = req_distinguished_name
string_mask = default
#[EOF]
#if [ "$PASSWORD" = FCB83778BA23EC5A ]; then
cat << EOF >> $CONFIG
#attributes=req_attributes