000026015 - SCEP request results in XrcDECODINGFAILURE  certificate is issued but not returned to SCEP client

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026015
Applies ToKeon Registration Authority 6.5.1
Keon Certificate Authority 6.5.1
Microsoft Windows 2000 Advanced Server SP4
Simple Certificate Enrollment Protocol (SCEP)
nCipher Hardware Security Module
IssueSCEP request results in XrcDECODINGFAILURE, certificate is issued but not returned to SCEP client
Trying to use SCEP from Cisco to RA
SCEP request to KCA works, but not to KRA

Vetting via SCEP to an HSM-protected Registration Manager fails. The certificate is issued but not returned to SCEP client.


When a Registration Manager installation has its SSL keys protected by a hardware security module (HSM), SCEP enrollment fails. A certificate is issued for the SCEP request but it is not returned back to the SCEP device. A request from the same SCEP client to a Registration Manager installation with software-based SSL key works.

CauseIf the request is submitted to RA, the SCEP server handles the broken PKCS#10 request. There is a special case in code which parses the broken PKCS#10 and constructs another PKCS#10 octets. It decodes the extensionReq in broken PKCS#10 has teletexstring and constructs another PKCS#10 with extensionReq with set of extensions.

The RA SCEP signing and encryption keys are generated using nCipher HSM. This fails to sign the PKCS#7 message as the Crypto Provider hardcoded to "XCSP Default Provider" and returns XrcOTHERERROR.
Resolution

In RSA Keon Registration Authority 6.5.1 build255, the provider type is selected based on the private key and the appropriate one is used for signing the PKCS #7 envelope. For nCipher it will set the provider to "XCSP nCipher Native" and then PKCS#7 sign works properly.

Download KRA 6.5.1 build 255 and higher from RSA SecurCare Online or contact RSA Customer Support.

Legacy Article IDa32478

Attachments

    Outcomes