Security

Reply

Onboarding issues when using registration authority mode with SCEP to PKI

Hi,

 

when I configure Clearpass as a registration authority, I put in the SCEP URL and Challenge, then I fetch the CA cert and receive the chain as expected. 

When I go to the the device_provisionning php page on the client to onboard, I receive the following (regardless of device types)

 

Unable to extract certificate from SCEP response (error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error
error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error)

 

From the PKI side the certs are issued and from Wireshark I see 200 accepts from the PKI :

cap scep.png

 

Thoughts on this ? 

 

Much appreciated,

ACMP, ACCP, BCNE
Guru Elite

Re: Onboarding issues when using registration authority mode with SCEP to PKI

What type of PKI environment are you proxying to?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Onboarding issues when using registration authority mode with SCEP to PKI

Hi Tim,

 

Windows 2008 R2 PKI.

 

Thanks

ACMP, ACCP, BCNE

Re: Onboarding issues when using registration authority mode with SCEP to PKI

We are also using the same exact SCEP URL and Challenger for an MDM and it's working fine.

ACMP, ACCP, BCNE
Guest Blogger

Re: Onboarding issues when using registration authority mode with SCEP to PKI

Did you get this fixed? I have the same problem. I am using the SCEP in MobileIron and it works. When I use it in ClearPass I receive the same error as you.

 

I have changed the settings on the PKI server like described in Step 4 - point 3 and 4 from the website:

 

Configure and use SCEP certificates with Intune

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: