Security

Reply

Onboarding issues when using registration authority mode with SCEP to PKI

Hi,

 

when I configure Clearpass as a registration authority, I put in the SCEP URL and Challenge, then I fetch the CA cert and receive the chain as expected. 

When I go to the the device_provisionning php page on the client to onboard, I receive the following (regardless of device types)

 

Unable to extract certificate from SCEP response (error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error
error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error)

 

From the PKI side the certs are issued and from Wireshark I see 200 accepts from the PKI :

cap scep.png

 

Thoughts on this ? 

 

Much appreciated,

ACMP, ACCP, BCNE
Guru Elite

Re: Onboarding issues when using registration authority mode with SCEP to PKI

What type of PKI environment are you proxying to?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Onboarding issues when using registration authority mode with SCEP to PKI

Hi Tim,

 

Windows 2008 R2 PKI.

 

Thanks

ACMP, ACCP, BCNE

Re: Onboarding issues when using registration authority mode with SCEP to PKI

We are also using the same exact SCEP URL and Challenger for an MDM and it's working fine.

ACMP, ACCP, BCNE
Guest Blogger

Re: Onboarding issues when using registration authority mode with SCEP to PKI

Did you get this fixed? I have the same problem. I am using the SCEP in MobileIron and it works. When I use it in ClearPass I receive the same error as you.

 

I have changed the settings on the PKI server like described in Step 4 - point 3 and 4 from the website:

 

Configure and use SCEP certificates with Intune

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl
miz
New Contributor

Re: Onboarding issues when using registration authority mode with SCEP to PKI

I have the same problem too. Did anyone solve ?

ClearPass 6.6 and Windows Server 2016

 

> the following Error message in ClearPass GUI

Unable to extract certificate from SCEP response (error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error
error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error)

Guru Elite

Re: Onboarding issues when using registration authority mode with SCEP to PKI

We have not officially qualified ADCS 2016, but try adding mscep.dll to the end of the NDES URL.

 

Ex: http://certsrv/mscep/mscep.dll


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Onboarding issues when using registration authority mode with SCEP to PKI

I found that this was caused by the HTTP proxy, when configured on ClearPass. 

In this case, I needed the proxy to retrieve updates, fingerprints etc and couldn't leave it blank but if I removed it, everything was working fine :) 

Cheers,

ACMP, ACCP, BCNE
miz
New Contributor

Re: Onboarding issues when using registration authority mode with SCEP to PKI

Tim and Overclock,

Thank you for prompt reply.

I already set the "http://172.31.xxx.xxx/certsrv/mscep/mscep.dll" for SCEP URL field.
And I did not use the http proxy.

I'll try to check the configuration of Windows Server again.

miz
New Contributor

Re: Onboarding issues when using registration authority mode with SCEP to PKI

I set up ClearPass 6.7 in the same environment, same ADCS server.
It worked fine. Unfortunately 6.6.5 still shows an error.

Thank you for your adivices.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: