[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: question on interop with entrust server
Hi Max,
I think we just had some emails cross in transit. My new email
on the thread
"draft 6 of draft-nourse-scep" should speak to your question.
But, I'll also reply here. The entrust server is a CA+RA. I
receive both CA cert and RA cert during my authentication step. I store
both. When I get to my enrollment step, we des-encrypt the pkcs10 with a
new content key, rsa-encrypt the content key with the RA-cert-pub-key,
and attache the encrypted content key to the pkcs7 recepient info.
I don't know if the entrust server is failing to decrypt the
content key or failing to decrypt the pkcs10.
---
Ricky Charlet
W: 408.754.1733
rcharlet@xxxxxxxxxx
--- _
( ) ASCII ribbon campaign
X - against HTML email
/ \
> -----Original Message-----
> From: Max Pritikin [mailto:pritikin@xxxxxxxxx]
> Sent: Tuesday, November 07, 2006 12:17 PM
> To: Charlet, Ricky (HLYER:0000)
> Cc: scep@xxxxxxxx
> Subject: Re: question on interop with entrust server
>
>
> Well, again voicing my complete lack of knowledge about
> entrust internals...
>
> Is this against a CA or an RA? And is there a difference in
> the behavior you are seeing?
>
> - max
>
> On Nov 7, 2006, at 9:17 AM, Ricky Charlet wrote:
>
> > Hi Max,
> >
> > I don't have a clear enough view into the entrust
> server operation to
> > firmly answer your quesetion. But I strongly suspect it is a proble
> > with decryption. The specific error message I get from the entrust
> > logs says
> >
> > "[-00151 The signature verification failed.] Failure during
> unprotect
> > of signed data"
> >
> > The signature verification failure is irrelevant. I
> know this from 1)
> > the standards don't require it, and 2) a successful
> enrollment from a
> > cisco router gets a similar log entry about
> sig-verification failure,
> > but the proceeds onward.
> >
> > The relevant part of that log message above seems to be
> "Failure
> > during unprotect of signed data"
> >
> >
> > ---
> > Ricky Charlet
> > W: 408.754.1733
> > rcharlet@xxxxxxxxxx
> > --- _
> > ( ) ASCII ribbon campaign
> > X - against HTML email
> > / \
> >
> >> -----Original Message-----
> >> From: Max Pritikin [mailto:pritikin@xxxxxxxxx]
> >> Sent: Monday, November 06, 2006 5:26 PM
> >> To: Charlet, Ricky (HLYER:0000)
> >> Cc: scep@xxxxxxxx
> >> Subject: Re: question on interop with entrust server
> >>
> >>
> >> "After a bit more reading..." Then what? :)
> >>
> >> Are you having trouble with the entrust CA decrypting the
> >> pkcs7 or is it trouble parsing the pkcs7? Does your client work
> >> against a different CA server?
> >>
> >> - max
> >>
> >> On Nov 6, 2006, at 5:04 PM, Ricky Charlet wrote:
> >>
> >>>
> >>> After a bit more reading....
> >>>
> >>>
> >>> ---
> >>> Ricky Charlet
> >>> W: 408.754.1733
> >>> rcharlet@xxxxxxxxxx
> >>> --- _
> >>> ( ) ASCII ribbon campaign
> >>> X - against HTML email
> >>> / \
> >>>
> >>>> -----Original Message-----
> >>>> From: owner-scep@xxxxxxxxxxxxx
> >>>> [mailto:owner-scep@xxxxxxxxxxxxx] On Behalf Of Charlet, Ricky
> >>>> (HLYER:0000)
> >>>> Sent: Monday, November 06, 2006 12:49 PM
> >>>> To: scep@xxxxxxxx
> >>>> Subject: question on interop with entrust server
> >>>>
> >>>>
> >>>> Howdy,
> >>>>
> >>>> My group is building a new scep client. We have successfully
> >>>> interoperated against microsoft but are having a difficult time
> >>>> interoperating with entrust. The entrust server seems not
> >> to be able
> >>>> to decrypt our PKCS7. But the log message is very vague.
> >>>>
> >>>> I'm hoping an Entrust VPN enrollment server person is
> >> reading this
> >>>> and can contact me directly to work out some interop testing.
> >>>>
> >>>>
> >>>> ---
> >>>> Ricky Charlet
> >>>> W: 408.754.1733
> >>>> rcharlet@xxxxxxxxxx
> >>>> --- _
> >>>> ( ) ASCII ribbon campaign
> >>>> X - against HTML email
> >>>> / \
> >>>>
> >>>>
> >>
>