Security

Hi,

when I configure Clearpass as a registration authority, I put in the SCEP URL and Challenge, then I fetch the CA cert and receive the chain as expected. 

When I go to the the device_provisionning php page on the client to onboard, I receive the following (regardless of device types)

Unable to extract certificate from SCEP response (error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error
error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error)

From the PKI side the certs are issued and from Wireshark I see 200 accepts from the PKI :

Thoughts on this ? 

Much appreciated,

Hi Tim,

Windows 2008 R2 PKI.

Thanks

We are also using the same exact SCEP URL and Challenger for an MDM and it's working fine.

Did you get this fixed? I have the same problem. I am using the SCEP in MobileIron and it works. When I use it in ClearPass I receive the same error as you.

I have changed the settings on the PKI server like described in Step 4 - point 3 and 4 from the website:

Configure and use SCEP certificates with Intune

I have the same problem too. Did anyone solve ?

ClearPass 6.6 and Windows Server 2016

> the following Error message in ClearPass GUI

Unable to extract certificate from SCEP response (error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
error:0D0D106E:asn1 encoding routines:B64_READ_ASN1:decode error
error:0D0D40CB:asn1 encoding routines:SMIME_read_ASN1:asn1 parse error)

We have not officially qualified ADCS 2016, but try adding mscep.dll to the end of the NDES URL.

Ex: http://certsrv/mscep/mscep.dll

I found that this was caused by the HTTP proxy, when configured on ClearPass. 

In this case, I needed the proxy to retrieve updates, fingerprints etc and couldn't leave it blank but if I removed it, everything was working fine :) 

Cheers,

Tim and Overclock,

Thank you for prompt reply.

I already set the "http://172.31.xxx.xxx/certsrv/mscep/mscep.dll" for SCEP URL field.
And I did not use the http proxy.

I'll try to check the configuration of Windows Server again.

I set up ClearPass 6.7 in the same environment, same ADCS server.
It worked fine. Unfortunately 6.6.5 still shows an error.

Thank you for your adivices.

I am still trying to get this configuration done. When I configure the Certificate Authority as Registration Authority and I add the SCEP URL:

https://pki/certsrv/mscep/mscep.dll

I also have the option to add a SCEP Challenge Password. The SCEP Challenge Password (as far as I know) can be obtained via the URL:

http://pki/CertSrv/mscep_admin/

I tried to add the CA with and without configuring a SCEP Challenge Password. Both options aren't working and I see the following error in the EventViewer on the Windows PKI server.

Without SCEP Challenge Password:

EventID 28 - The Network Device Enrollment Service cannot locate a required password in the certificate request. Either a password must be present in the certificate request or the certificate request should be signed with a valid signing certificate. The signing certificate must chain up to a trusted root in the Enterprise store. The signing certificate and the certificate request must have the same subject name or subject alternate name.

With SCEP Challenge Password:

EventID 29 - The password in the certificate request cannot be verified. It may have been used already. Obtain a new password to submit with this request.

I guess I have to troubleshoot the Windows PKI server instead of ClearPass.........

I got it working by following the procedure in the blog post, but I am not sure what the impact is on the Windows PKI environment......

https://www.petenetlive.com/KB/Article/0000947#PWDOFF

Parts:

• NDES Disable Password Requirement.
• NDES More Password Options and Renewing Certificates