|Applies To||Keon Registration Authority 6.5.1|
Keon Certificate Authority 6.5.1
Microsoft Windows 2000 Advanced Server SP4
Simple Certificate Enrollment Protocol (SCEP)
nCipher Hardware Security Module
|Issue||SCEP request results in XrcDECODINGFAILURE, certificate is issued but not returned to SCEP client|
Trying to use SCEP from Cisco to RA
SCEP request to KCA works, but not to KRA
Vetting via SCEP to an HSM-protected Registration Manager fails. The certificate is issued but not returned to SCEP client.
When a Registration Manager installation has its SSL keys protected by a hardware security module (HSM), SCEP enrollment fails. A certificate is issued for the SCEP request but it is not returned back to the SCEP device. A request from the same SCEP client to a Registration Manager installation with software-based SSL key works.
|Cause||If the request is submitted to RA, the SCEP server handles the broken PKCS#10 request. There is a special case in code which parses the broken PKCS#10 and constructs another PKCS#10 octets. It decodes the extensionReq in broken PKCS#10 has teletexstring and constructs another PKCS#10 with extensionReq with set of extensions.|
The RA SCEP signing and encryption keys are generated using nCipher HSM. This fails to sign the PKCS#7 message as the Crypto Provider hardcoded to "XCSP Default Provider" and returns XrcOTHERERROR.
In RSA Keon Registration Authority 6.5.1 build255, the provider type is selected based on the private key and the appropriate one is used for signing the PKCS #7 envelope. For nCipher it will set the provider to "XCSP nCipher Native" and then PKCS#7 sign works properly.
|Legacy Article ID||a32478|