Compatible cisco ? about xipki HOT 10 CLOSED

• unsupported digest algorithm 1.2.840.113549.2.5 indicates that the SCEP Request (CMSSignedData) is signed with "MD5withRSA". This algorithm is insecure and NOT supported in XiPKI.

• encryption with algorithm 1.3.14.3.2.7 is not permitted indicates that the message is encrypted with DES which is again insecure and NOT supported in XiPKI.

• The password will be generated in XiPKI via following command

  xipki-ca:user-add --name user1 --password password1 --cn-regex '.*'
  

  And the challenge password for the CSR is user1:password1.

from xipki.

You can also create the password in cisco tool but in the form username:password. Then add the user in xipki

from xipki.

Thanks for reply.

my enroll again not work :-(

In https://www.m00nie.com/type-7-password-tool/ enctypt password 'cisco' as 02050D480809
Then, create user 'cisco' and login:

!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default none
!
!
username cisco password 7 02050D480809
!

Next, login to console:
...
User Access Verification

Username: cisco
Password:

R1#
.

1. in xipji drop and recreate database, and #rm -rf output data

2. modify demo.d/scep-server.script
   xipki-ca:user-add
   --name cisco
   --password cisco
   --cn-regex '.*'

3. modify scep.script
   xipki-tk:req-p12
   --hash $HASH
   --p12 output/SCEP-OCSP1.p12
   --password 1234
   --challenge-password cisco:cisco
   --subject "CN=SCEP-OCSP1,O=xipki,C=DE"
   --out output/SCEP-OCSP1.csr

Then, recreate:
karaf@root()> source xipki/demo/demo.script SHA1 PKCS12 RSA 2048

Back to cisco, and recreate trustpoint
R1(config)#no crypto pki trustpoint SubCAwithCRL1
% Removing an enrolled trustpoint will destroy all certificates
received from the related Certificate Authority.

Are you sure you want to do this? [yes/no]: yes
% Be sure to ask the CA administrator to revoke your certificates.

No enrollment sessions are currently active.

R1(config)#
and create again:
R1(config)#crypto pki trustpoint SubCAwithCRL1
R1(ca-trustpoint)# enrollment mode ra
R1(ca-trustpoint)#$ url http://192.168.101.22:8080/scep/SubCAwithCRL/OCSP
R1(ca-trustpoint)# serial-number
R1(ca-trustpoint)# fqdn R1.xipki.org
R1(ca-trustpoint)# ip-address none
R1(ca-trustpoint)# subject-name CN=R1.xipki.org,O=xipki,C=DE
R1(ca-trustpoint)# revocation-check crl none
R1(ca-trustpoint)# rsakeypair KEY2048
R1(ca-trustpoint)# hash sha1
R1(ca-trustpoint)#
R1(ca-trustpoint)#exit

Try:

R1(config)#crypto pki authenticate SubCAwithCRL1
Trustpoint 'SubCAwithCRL1' is a subordinate CA and holds a non self signed cert
Certificate has the following attributes:
Fingerprint MD5: 9837377F 42998693 6C1A28DC 4F38B212
Fingerprint SHA1: 068C57E9 05C839AE 2FF1323F FFEF699D F692116B

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R1(config)#crypto pki enroll SubCAwithCRL1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: CN=R1.xipki.org,O=xipki,C=DE
% The subject name in the certificate will include: R1.xipki.org
% The serial number in the certificate will be: 4279256517
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose SubCAwithCRL1' commandwill show the fingerprint.

R1(config)#
*Feb 25 20:01:16.827: CRYPTO_PKI: Certificate Request Fingerprint MD5: 77455457 3DF36142 C784CFDD 5EA899E2
*Feb 25 20:01:16.827: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7DB6AA13 E6663161 21D5245E 837FBFE1 CF61AA6B
R1(config)#
*Feb 25 20:01:17.311: %PKI-6-CERTFAIL: Certificate enrollment failed.
R1(config)#

something I do not understand where wrong

from xipki.

Tested with:

xipki-ca:user-add
--name cisco
--password 02050D480809
--cn-regex '.*'

and

xipki-tk:req-p12
--hash $HASH
--p12 output/SCEP-OCSP1.p12
--password 1234
--challenge-password cisco:02050D480809
--subject "CN=SCEP-OCSP1,O=xipki,C=DE"
--out output/SCEP-OCSP1.csr

not work :-(

xipki's answer: the command req-p12 is not required in your case. And the password of xipki-ca:user-add should be 'cisco' in your case.

from xipki.

The command xipki-tk:req-p12 is not required in your case, since the CSR will be generated by the cisco tool.

For better debug, could you please add the XiPKI log file /data/log/karaf.log?

from xipki.

ok, back passwords to 'cisco' and re-create PKI

R1#sh crypto pki certificates verbose
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 5DDA33D49098123C
Certificate Usage: Signature
Issuer:
cn=RCA1
o=xipki
c=DE
Subject:
cn=PSubCAwithCRL1S
o=xipki
c=DE
Validity Date:
start date: 06:15:59 UTC Feb 27 2017
end date: 06:15:58 UTC Feb 27 2025
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA1 with RSA Encryption
Fingerprint MD5: 852B316A AD523B35 83BFCC9D 07A68C00
Fingerprint SHA1: 12A343DF E81F0DDA 7038146B F47264C0 4D75991C
X509v3 extensions:
X509v3 Key Usage: 6000000
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: 7692FB4C 224078D5 E8B0867C ED5F5ED5 F77AC03B
X509v3 Basic Constraints:
CA: TRUE
X509v3 Subject Alternative Name:
xipki.org
[email protected]
192.168.101.22
X509v3 Authority Key ID: B556A958 47195FB6 B94B21C5 5882FFFF 4C741A57
Authority Info Access:
X509v3 CertificatePolicies:
Policy: 1.2.3.4.5
Associated Trustpoints: PSubCAwithCRL1S
Storage: nvram:RCA1#1212CA.cer

R1#sh run br
...
!
crypto pki trustpoint PSubCAwithCRL1S
enrollment mode ra
enrollment url http://192.168.101.22:8080/scep/SubCAwithCRL/OCSP
serial-number
fqdn R1.xipki.org
ip-address none
password 7 030752180500
subject-name CN=R1.xipki.org,O=xipki,C=DE
revocation-check none
rsakeypair KEY2048
hash sha1
!

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto pki enroll PSubCAwithCRL1S
%
% Start certificate enrollment ..

% The subject name in the certificate will include: CN=R1.xipki.org,O=xipki,C=DE
% The subject name in the certificate will include: R1.xipki.org
% The serial number in the certificate will be: 4279256517
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose PSubCAwithCRL1S' commandwill show the fingerprint.

R1(config)#
*Feb 27 11:28:04.439: CRYPTO_PKI: Certificate Request Fingerprint MD5: 77455457 3DF36142 C784CFDD 5EA899E2
*Feb 27 11:28:04.439: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 7DB6AA13 E6663161 21D5245E 837FBFE1 CF61AA6B
R1(config)#
*Feb 27 11:28:04.871: %PKI-6-CERTFAIL: Certificate enrollment failed.
R1(config)#exit
R1#
R1#
*Feb 27 11:28:11.331: %SYS-5-CONFIG_I: Configured from console by cisco on console
R1#

logs dir attached, demo dir, and cisco startup config:

demo.tar.gz
R1_startup-config.cfg.zip
log.tar.gz

from xipki.

Just found time to check the log karaf.log. Still the same problem: you use unsupported algorithms. See my first comment for more details.

from xipki.

I read a lot of cisco documentation and did not find how to change this.
Can return for compatibility?

from xipki.

The MD5 and DES related algorithms are not supported by XiPKI and cannot be activated. Due to security problem it is not a good idea to implement them.

from xipki.

Will not be fixed. Not a bug.

from xipki.