000022132 - Keon Certificate Authority (KCA) requires ChallengePassword attribute for SCEP certificate requests

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000022132
Applies ToKeon Certificate Authority 6.5.1
Microsoft Windows 2000 Server SP4
Simple Certificate Enrollment Protocol (SCEP)
IssueKeon Certificate Authority (KCA) requires ChallengePassword attribute for SCEP certificate requests
A SCEP certificate request (created using SSCEP open source client) submitted to KCA fails. The certificate request is not saved by the KCA. KCA and system log files do not show any error messages.
SCEP requests from another client (based on RSA BSAFE Cert-C) works fine and certificates are issued through SCEP

After enabling trace logging in KCA (see RSA Keon CA 6.5.1 Administrator's Guide) and capturing result codes by updating pkiclient.exe (see solution "Debugging SCEP enrollment issues") shows that KCA returns XrcNOTFOUND error. Listed below are some selected entries from the KCA Administration Server's trace log file:

[Tue Jun 07 13:11:30 2005] [debug] C:\HOTFIXES_Releases\651build235\strong-sentry\comp\xscep\scep_server.c(1230): RSATrace: [scep    ] 1808   1632  Return code = XrcNOTFOUND (11).
[Tue Jun 07 13:11:30 2005] [debug] C:\HOTFIXES_Releases\651build235\strong-sentry\comp\xscep\scep_server.c(2555): RSATrace: [scep    ] 1808   1632  Return code = XrcNOTFOUND (11).
[Tue Jun 07 13:11:30 2005] [debug] C:\HOTFIXES_Releases\651build235\strong-sentry\comp\xscep\scep_server.c(2941): RSATrace: [scep    ] 1808   1632  Return code = XrcNOTFOUND (11).
[Tue Jun 07 13:11:30 2005] [debug] C:\HOTFIXES_Releases\651build235\strong-sentry\comp\xscep\scepPKCS7.cpp(828): RSATrace: [scep    ] 1808   1632  Return code = XrcOK (0).
[Tue Jun 07 13:11:30 2005] [debug] C:\HOTFIXES_Releases\651build235\strong-sentry\comp\xscep\scep_server.c(2150): RSATrace: [scep    ] 1808   1632  Return code = XrcNOTFOUND (11).

CauseThe SCEP certificate request, generated using SSCEP client, did not contain ChallengePassword attribute. KCA requires that ChallengePassword attribute be set in the SCEP certificate request.  Requests without the password are rejected by KCA as "unauthenticated".
The latest SCEP draft available at http://www.ietf.org/internet-drafts/draft-nourse-scep-12.txt is not very clear, but appears to require ChallengePassword in requests
Resolution
To correct this issue, ensure that ChallengePassword attribute is set in the SCEP certificate request.

NOTE: RSA Security is reviewing whether or not KCA should require ChallengePassword attribute in SCEP certificate requests. Contact RSA Security Customer Support for more details on the current status.
Legacy Article IDa26958

Attachments

    Outcomes