[strongSwan] scepclient and cisco
Tobias Brunner
tobias at strongswan.org
Mon Apr 2 11:44:22 CEST 2012
Hi Germano,
> I've been trying to get scepclient to work with CISCO (IOS 15) for a
> week, turned all debugging on and still no success.
>
> CISCO fails with "unable to open signed data" when I request a
> certificate (get ca cert works).
>
> This is what I'm doing:
>
> ipsec scepclient --out cert=mycert.der --dn "CN=myname" -k 1024 --url
> http://10.1.1.2/cgi-bin/pkiclient.exe --in cacert-enc=CISCO.der --in
> cacert-sig=CISCO.der
>
> The wiki documentation for scepclient is extremely poor. I could improve
> it with some cisco examples if I get this to work...
>
> Are there any special options/compile options? Opinions on what could be
> wrong?
Well, scepclient is quite old. It was written 7 years ago and did not
get much attention since then. Development was based on version 10/11
of the SCEP draft [1], which is currently published in version 23. So
it's very well possible that there are incompatibilities with more
recent implementations (which the one in IOS 15 presumably is). And
updating scepclient has not a very hight priority for us at the moment.
The question really is what the Cisco box means with "unable to open
signed data" (Was it not able to parse the request? Was it not able to
decrypt it? ...). The only thing that might be wrong with your command
line is that you don't specify '--out pkcs1', but I don't see how that
could cause the above error on the Cisco side.
Regards,
Tobias
[1] http://tools.ietf.org/html/draft-nourse-scep
More information about the Users
mailing list