Discussion:
[Ejbca-develop] Getting error using CMP client with EJBCA
BARINDER PAL SINGH
2014-11-18 08:10:54 UTC
Permalink
Hello,

I am using the CMP client patch for OPENSSL and trying to get the
certificate from the EJBCA VM deployed on the server

I have configured the following things
Pre-registered client with password authentication

- Download the CA certificate to the client(downloaded the existing
ManagementCA certificate and have put this CA certificate in the location
where CMP client code is compiled)
- Add a new end entity in EJBCA(added an end entity with the username
name: vmware and password:vmware)
- Run the command

***@ejbca:~/cmpforopenssl-code-766/src/openssl-client$ ./cmpclient
--server localhost --port 8080 --path ejbca/public/cmp --srvcert
ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert
user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"

But i am getting the following error

***@ejbca:~/cmpforopenssl-code-766/src/openssl-client$ ./cmpclient
--server localhost --port 8080 --path ejbca/public/cmp --srvcert
ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert
user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"
INFO: Reading DER Certificate from File ManagementCA.cacert.pem
SUCCESS: BIO_new
INFO: Unable to read certificate in DER format, trying PEM...
INFO: Reading PEM Certificate from File ManagementCA.cacert.pem
SUCCESS: BIO_new
INFO: Using existing key file "user_key.pem"
INFO: Reading Public Key from File user_key.pem
INFO: the passphrase is ""...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
139753323554464:error:3209D07F:CMP routines:CMP_PKIMESSAGE_http_perform:invalid
content type:cmp_http.c:906:
139753323554464:error:32096083:CMP routines:CMP_doInitialRequestSeq:ip not
received:cmp_ses.c:373:



Also i have configured the following configuration
The above requires a CMP alias in EJBCA with the following
configuration:(cmp alias with the name vmware)

- Client mode
- HMAC
<http://en.wikipedia.org/wiki/Hash-based_message_authentication_code>
authentication
module
- CN as extract username component

Can you please suggest what might be wrong in the above configuration.

Thanks in Advance
Barinder
Tomas Gustavsson
2014-11-18 08:16:34 UTC
Permalink
You should check what errors you have on the server side.

See http://ejbca.org/docs/adminguide.html#Troubleshooting

Regards,
Tomas
---
Save time and money with an Enterprise support subscription. Please see
www.primekey.se for more information.
http://www.primekey.se/Products/EJBCA+PKI/
http://www.primekey.se/Services/Support/
Post by BARINDER PAL SINGH
Hello,
I am using the CMP client patch for OPENSSL and trying to get the
certificate from the EJBCA VM deployed on the server
I have configured the following things
Pre-registered client with password authentication
* Download the CA certificate to the client(downloaded the existing
ManagementCA certificate and have put this CA certificate in the
location where CMP client code is compiled)
* Add a new end entity in EJBCA(added an end entity with the username
name: vmware and password:vmware)
* Run the command
--server localhost --port 8080 --path ejbca/public/cmp --srvcert
ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert
user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"
But i am getting the following error
--server localhost --port 8080 --path ejbca/public/cmp --srvcert
ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert
user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"
INFO: Reading DER Certificate from File ManagementCA.cacert.pem
SUCCESS: BIO_new
INFO: Unable to read certificate in DER format, trying PEM...
INFO: Reading PEM Certificate from File ManagementCA.cacert.pem
SUCCESS: BIO_new
INFO: Using existing key file "user_key.pem"
INFO: Reading Public Key from File user_key.pem
INFO: the passphrase is ""...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
139753323554464:error:3209D07F:CMP
139753323554464:error:32096083:CMP routines:CMP_doInitialRequestSeq:ip
Also i have configured the following configuration
The above requires a CMP alias in EJBCA with the following
configuration:(cmp alias with the name vmware)
* Client mode
* HMAC
<http://en.wikipedia.org/wiki/Hash-based_message_authentication_code> authentication
module
* CN as extract username component
Can you please suggest what might be wrong in the above configuration.
Thanks in Advance
Barinder
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Michael Ströder
2014-11-18 08:22:07 UTC
Permalink
Which version of EJBCA are you using?
Post by BARINDER PAL SINGH
--server localhost --port 8080 --path ejbca/public/cmp
Are you sure that the value for --path is correct? I can see this path value
mentioned at the example on this page but it might be outdated:
http://blog.ejbca.org/2014/01/using-cmp-with-cmp-for-openssl-tool-to.html

In my working example I have:

--path ejbca/publicweb/cmp/CMP_Server

where "ejbca/publicweb/" is the base URL of the public web interface and
"CMP_Server" is the CMP configuration alias.

In case you're using 6.x see also:
http://blog.ejbca.org/2013/09/whats-new-in-ejbca-6-part-2-cmp-aliases.html

Ciao, Michael.
BARINDER PAL SINGH
2014-11-18 09:08:32 UTC
Permalink
Thanks Michael and Tomas, yes the url was wrong

But now i am getting the following error on the client side

***@ejbca:~/cmpforopenssl-code-766/src/openssl-client$ ./cmpclient
--server localhost --port 8080 --path ejbca/publicweb/cmp/vmware --srvcert
ManagementCA.cacert.pem --ir --user vmware --password vmware --newclcert
user1.der --newkey user_key.pem --subject "CN=vmware,C=SC"
INFO: Reading DER Certificate from File ManagementCA.cacert.pem
SUCCESS: BIO_new
INFO: Unable to read certificate in DER format, trying PEM...
INFO: Reading PEM Certificate from File ManagementCA.cacert.pem
SUCCESS: BIO_new
INFO: Using existing key file "user_key.pem"
INFO: Reading Public Key from File user_key.pem
INFO: the passphrase is ""...
SUCCESS: Reading PKEY
INFO: Sending Initialization Request
ERROR: received no initial Client Certificate. FILE cmpclient.c, LINE 394
140725023463072:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody
error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection,
PKIFailureInfo: badMessageCheck: Could not extract password from CRMF
request using the RegTokenPwd authentication module"
***@ejbca:~/cmpforopenssl-code-766/src/openssl-client$


and the following error on the EJBCA VM server logs

15:48:59,073 INFO [org.ejbca.ui.web.protocol.CmpServlet]
(http--0.0.0.0-8080-1) CMP message received from: 127.0.0.1, for CMP alias:
vmware
15:48:59,136 INFO [org.ejbca.core.protocol.cmp.CrmfMessageHandler]
(http--0.0.0.0-8080-1) Could not extract password from CRMF request using
the RegTokenPwd authentication module
15:48:59,157 INFO [org.ejbca.ui.web.protocol.CmpServlet]
(http--0.0.0.0-8080-1) Sent a CMP response to: 127.0.0.1, process time 84.

I am getting no clue what is wrong, please suggest

Thanks
Barinder
Post by Michael Ströder
Which version of EJBCA are you using?
Post by BARINDER PAL SINGH
--server localhost --port 8080 --path ejbca/public/cmp
Are you sure that the value for --path is correct? I can see this path value
http://blog.ejbca.org/2014/01/using-cmp-with-cmp-for-openssl-tool-to.html
--path ejbca/publicweb/cmp/CMP_Server
where "ejbca/publicweb/" is the base URL of the public web interface and
"CMP_Server" is the CMP configuration alias.
http://blog.ejbca.org/2013/09/whats-new-in-ejbca-6-part-2-cmp-aliases.html
Ciao, Michael.
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Loading...