Does SSCEP support NDES with challenge password about sscep HOT 10 OPEN

Manfonly,

I just parsed your CSR with ("openssl asn1parse –text –in csr_file_name.csr"). I note you are using UTF-8 strings. I also note your openssl.conf doesn’t include a subjectAltName field.

Can I suggest you modify your openssl.conf file to see if these changes address your problem of issuing a certificate?

1. Within the [req] section add both “utf8 = no” and “string_mask = nombstr”. Then review your generated CSR, hopefully it won’t indicate “:unable to print attribute” against the challengePassword. Also I’m hoping your challengePassword is now printable string?

2. Additionally you also need to add a subjectAltName to the generated CSR. Add an entry to [req] section of your openssl.conf file, something like: “subjectAltName=critical,DNS:certnanny-sscep.poc.shanghai.cn”

Assuming this issues a SCEP certificate against NDES you can play with the string_mask values to determine if UTF-8 is supported?

Regards
Nigel

from sscep.

Not sure about NDES never tested it but the challenge password should be a BMP String.

from sscep.

This is my mscep_admin page:
Network Device Enrollment Service allows you to obtain certificates for routers or other network devices using the Simple Certificate Enrollment Protocol (SCEP).

To complete certificate enrollment for your network device you will need the following information:

The thumbprint (hash value) for the CA certificate is: E79F8AD3 73F7D8E0 F2688840 8563ACA1

The enrollment challenge password is: 00F7FC7937B5366F2231AC891472998C

This password can be used multiple times and will not expire.

For more information see Using Network Device Enrollment Service .

I just copied "00F7FC7937B5366F2231AC891472998C".

from sscep.

Yeah but that is not an BPM String and OpenSSL won't encode it for you.

https://tools.ietf.org/html/rfc3641
https://msdn.microsoft.com/en-us/library/windows/desktop/bb540793%28v=vs.85%29.aspx

from sscep.

Do you mean I need to encode challenge password?
I can set this challenge password in the openssl interactive way, and it looks like NDES does not support set a challenge password.

from sscep.

No Idea about NDES and its configuration. For a normal SCEP server you need to encode the password to a BMP string and then give it to openSSL to embed in the CSR.

from sscep.

Hi rad1us, you are right.
I looks like a bug in the linux openssl. It can not encode 00F7FC7937B5366F2231AC891472998C into challenge password attribute, but the windows version can do it.

from sscep.

@tedescn @manfonly 👍
I wanted to provide an update to this. We have tested this with sscep & SCEP from an NDES server on Windows Server 2012 R2. The additions suggested by @tedescn have resulting it working behavior for us.

Works without modification: openssl 1.0.1f
Works with modification: openssl 1.0.1i, 1.0.2h

from sscep.

I m trying with 1.0.2i. @tedescn any patch or modification can resolve this.

from sscep.

Thank you. This helped me to fix my issue with NDES.
“string_mask = nombstr”

Can someone please confirm if this change in openssl config will work with all types of SCEP servers?

from sscep.