mikrotik scep +cisco CISCO2921/K9

Hi, we are using Cisco router as a SCEP server and ipsec VPN concentrator for branches with other Cisco products.
But now we are trying also with mikrotik for smaller branches.

Setup is quite straightforward, but we get stuck with enroll of certificate(certificate sign request).
Seems to us like there is base64 incompatible encryption.
Has anybody seen these, or get this solution working?

mikrotik conf:

 certificate print detail 
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 0 K      T name="4Rest" issuer=C=AT,L=XXXX country="XX" locality="HXXXXXl" key-size=2048 days-valid=365 trusted=yes key-usage=key-cert-sign 
            scep-url=1xx.1yy.2zz.15/cgi-bin/pkiclient.exe

logs

cisco debug:

Dec  9 11:59:21.956: CRYPTO_PKI_SCEP: CS received PKIOperation request
Dec  9 11:59:21.956: CRYPTO_CS: processing SCEP request, 3504 bytes
Dec  9 11:59:21.956: CRYPTO_CS: failed to base64 decode request

mikrotik debug:

13:30:01 certificate,debug resuming job: first enroll 
13:30:01 certificate,debug,packet encoding message type: PKCS#10 request (19) 
13:30:01 certificate,debug,packet transaction: 746c854d25260b30133f55872bf0c0467fd3fa26ec82cb6d377a79f1e80b4953 
13:30:01 certificate,debug,packet sender nonce: 1e3ecc5d9508a3bb52a442f2d623a15b 
13:30:01 certificate,debug doing GET request: PKIOperation 
13:30:01 certificate,debug,packet 474554202f6367692d62696e2f706b69636c69656e742e6578653f6f7065726174696f6e3d504b494f7065726174696f6e266d6573736167653d4d49494a7451594a4b6f5a496876634e4151634
36f49494a706a43434361494341514578437a414a4267557244674d43476755414d4949443641594a4b6f5a496876634e4151 
13:30:01 certificate,debug,packet 63426f49494432515343413955776767505242676b71686b69473977304242774f67676750434d4949447667494241444742776a4342767749424144416f4d434d784954416642674e5642414d5
447465a51546b68565169314451564e424c6d317061325675623342684c6d4e76625149424154414e42676b71686b69473977 
13:30:01 certificate,debug,packet 304241514546414153426743326162547053596a55744548656b6f357546744139434b3743545732574a6671575877736b514663794942614d694162706f70484a527158424c4b6547736642745
9434e4e7048686a503941647130713945752f636f6c3858534e6f76686e4d7765627a5962714572324a557272645836787869 
13:30:01 certificate,debug,packet 51584d6763446946587736493533776b7a35514749636b4c5a5a6651704b6175494354736c4165374b47784d375744596b4d2b582f594d4949433867594a4b6f5a496876634e415163424d42454
74253734f417749484241694f734b72566e48585a56344343417444664865716a786c615235666a3366306d6b47656f586d4f 
13:30:01 certificate,debug,packet 4b63662b2f68336952526d7847613568354f666f6a675365503647647534775433322f6f4c683444734a2f7a694b4e4f76766d786d7732746e52374447666b4c6b33325979696671656471564c7
a4936454e633352544a76724f4b53656e653150626d712f6d7a704b3930497165736e47634c6161737372764a766b56733734 
13:30:01 certificate,debug,packet 74464144734b375a54414865416443326c4e6b42414e75414f61656355762b467874566f6b456a3877506b385478517439704b56466b4c4b5059446b6b2f5474663972524778453736477472624
86a384b6d72734d427643663768667535333530355236534a75437644657437587334436b325a5145345745326a776973546c 
13:30:01 certificate,debug,packet 66736133685655772f347644456d3863384966636234543358742f47664768716b366c6b4673726e2b44496d6e526d7a63374d4d4c6543536a7952434b48614e4c2b3533736d534441484c2f557
434725847485153374847396b724e746d534b55313464376866453266762f6c523863684f2b4f4b50582f7475645068717271 
13:30:01 certificate,debug,packet 6d4a48365438535a4d6d564d4d772b714b6437657951467a4a4967362b4d4b5a4974686a38654855376f6c61426d3145564a3341643139797a734c37472f586158462b507975396b6e352f74754
95844732b55443351676853663533435169504f777132496b656b364644654e63306d724963574a47352f6d61494631714f36 
13:30:01 certificate,debug,packet 63314f554c707761634e6a723638772b596977764c5354794a712b682b33536837395245736b5634382b46652f30707559684e6c73326e525370567255737350676b472f766861395a4d65634a3
442444d557433426f652f655459384b6b31772f4f646e634f6d665866372f6a326e4674794d68585234586f4b4c302b62366e 
13:30:01 certificate,debug,packet 6f656f706b3171443735356f773464756d2f3043712f7a4d4b43474f62316b4979357261656a57626e4c4b44624343393537756734417742424d4438446a6e654138616c4a50307556686b71756
24145774d4a735a6a5963416a4162484d354e735a666a797674453755686c7734624a7a6e704e334c527942746c4554446f5a 
13:30:01 certificate,debug,packet 682f305a53486b695a366a73545171483349594136326371674d39455945673534724e346f454a4c2b4c52596144706736532f597a456971724b64666b5971394547524d724c36656e63674e315
7687661456a4457456353334b702f34746d3952354c7079442f6c55504163772b7763454e2b4e30515a6f326d307833665069 
13:30:01 certificate,debug,packet 436a426f586875596d33545132706e67445a6758356335304d654664634e377778646a434f4a5376536767674d344d4949444e44434341687967417749424167494943417139777935307279637
74451594a4b6f5a496876634e4151454c425141774a54454c4d416b474131554542684d4351565178466a415542674e564241 
13:30:01 certificate,debug,packet 634d44556868624777676157346756476c79623277774868634e4d5459784d6a41354d5449784e7a55325768634e4d5463784d6a41354d5449784e7a5532576a416c4d517377435159445651514
745774a42564445574d425147413155454277774e53474673624342706269425561584a7662444343415349774451594a4b6f 
13:30:01 certificate,debug,packet 5a496876634e4151454242514144676745504144434341516f4367674542414e5859555838304130676571544644517766783449564c734c7835347137494876617459435850352b7172746f766
7387878325954382f413664392b4e4e6d55743334652f47657864563755635a362f546e556a4f785a693978576365674b4c5a 
13:30:01 certificate,debug,packet 4d706e3068303651656349714f6f33416a73545153374d7a595170372b6a6d6e556e562f33684363305a4c4b54612b4f57593749626f6734744561356d7a677276704a324737534a68395942773
5627864646749686f4a6746307159786f70486557676b504e456e394873735a57713074714b4a6b75395669585a6855613154 
13:30:01 certificate,debug,packet 48354378587a2f35415a594f50504d6f6d6a4131694f516359636253656262774f6742374b363736375966464852326c7631334c3650317a6e5a524b6376497246507534717932692f325a6e722
f57597a59756a7178496e30597245706143363847624a633837646f32326a54304a4e324f344f30434177454141614e6f4d47 
13:30:01 certificate,debug,packet 597744775944565230544151482f42415577417745422f7a414f42674e56485138424166384542414d4341675177485159445652304f4242594546437a346e3435626f75367a3652354f6e4a575
93479724a466569674d43514743574347534147472b45494244515158466856485a57356c636d46305a575167596e6b67556d 
13:30:01 certificate,debug,packet 39316447567954314d774451594a4b6f5a496876634e4151454c42514144676745424141544279345653787a336e365530617232684259316e39563076734c5636704539644e422b51743230775
14a3869743576532b355a6471314a6438677461586f4568573056685974322b664346392b723061344c64394a337a334c5538 
13:30:01 certificate,debug,packet 754a7369734a796a3364555a4f494d5a5a75725878622f706978555672344778685567756465524f616257615777336738796739456d4f4c424a32455852584c713852786134694f4a6671786a4
27736506941537a6d4f4679504f3935645436647843523063446c71486a6d455465555a56357941536e7a514941345345544a 
13:30:01 certificate,debug,packet 5865574d725365394f2b716c6c4a4f31494371782b686f74504b4956385969796149352f2f3462714d65566e4472486b374f5135306f31425739624b79584b6e713032344b705734416c3674344
530356536475745496f6d2f6c5473446f4347666e467444434a306142785a70677a2f5466384a6f6f3051307867674a6d4d49 
13:30:01 certificate,debug,packet 494359674942415441784d435578437a414a42674e5642415954416b46554d5259774641594456515148444131495957787349476c7549465270636d397341676749437233444c6e53764a7a414
a4267557244674d43476755416f494942436a415142677067686b67426876684641516b474d5149454144415242677067686b 
13:30:01 certificate,debug,packet 67426876684641516b444d514d54415441774567594b59495a49415962345251454a416a4545457749784f54415942676b71686b69473977304243514d784377594a4b6f5a496876634e4151634
24d42774743537147534962334451454a42544550467730784e6a45794d446b784d6a4d774d4446614d434147436d43475341 
13:30:01 certificate,debug,packet 47472b4555424351557845675151486a374d585a55496f37745370454c7931694f68577a416a42676b71686b6947397730424351517846675155364c67394e7a68534a564949515935776b54635
a354d394339304d775541594b59495a49415962345251454a427a4643453041334e445a6a4f4455305a4449314d6a5977596a 
13:30:01 certificate,debug,packet 4d774d544d7a5a6a55314f446379596d5977597a41304e6a646d5a444e6d595449325a574d344d6d4e694e6d517a4e7a64684e7a6c6d4d5755344d4749304f54557a4d413047435371475349623
3445145424151554142494942414d78434b683175316e722b6e2f38676a7330763666462b572f4e76615278706a792f396576 
13:30:01 certificate,debug,packet 4436724359665077684e307a4b4235425a49474171502f546f7268427365532f572f537a3079486b5435496f7869564a3677613972376f6441434e33385966316938586479576e6c486e745a2f5
3455a796931426b354e7248516565416b5250345a6e733836587935687073495142694f4149794b51314b65764b5470474b56 
13:30:01 certificate,debug,packet 5531794d6d4251686466685555615945396a316859556f376c47744376767a6d45796934613759704469313279324a73654b385a38524e397436362f39555a344539667249692b5965313452746
b3547716e47696866713467566c653654394243337a6e314e65574559796c464435737a4945714377544d396b3939756c7835 
13:30:01 certificate,debug,packet 363571546c3041486a70592b4f4f357a7a6a4f4533754f555459437a4f792b72453669367a6231527453723362427255493d20485454502f312e310d0a486f73743a203130392e3132332e32313
92e31350d0a557365722d4167656e743a204d696b726f74696b2f362e7820534345500d0a436f6e6e656374696f6e3a20636c 
13:30:01 certificate,debug,packet 6f73650d0a0d0a 
13:30:01 certificate,debug pki decode failed 
13:30:01 certificate,error reply decode failed: 1 
13:30:01 certificate,error scep client failure: requesting-certificate-failed

I’ve got the same problem. If somebody knows the solution of it?

The same problem with Windows.
Mikrotik tried to get certificate from Windows server CA and it also unsuccessfull.

status=“requesting-certificate-failed”

log from Mikrotik
16:27:18 certificate,error reply decode failed: 1
16:27:18 certificate,error client failure: requesting-certificate-failed


I would be very obliged for any help. All devices (cisco, hp) get certificates without problems using SCEP except Mikrotik.

What versions of code have you tried on the MikroTik side?

Information about my mikrotik

routerboard: yes
model: RouterBOARD 750UP r2
serial-number: 65B304950DCC
firmware-type: qca9531L
factory-firmware: 3.29
current-firmware: 3.29
upgrade-firmware: 3.39


uptime: 4h30m28s
version: 6.40 (stable)
build-time: Jul/21/2017 08:45:31
factory-software: 6.34.1
free-memory: 40.2MiB
total-memory: 64.0MiB
cpu: MIPS 24Kc V7.4
cpu-count: 1
cpu-frequency: 650MHz
cpu-load: 11%
free-hdd-space: 4.9MiB
total-hdd-space: 16.0MiB
write-sect-since-reboot: 6625
write-sect-total: 44647
bad-blocks: 0%
architecture-name: mipsbe
board-name: hEX PoE lite
platform: MikroTik

Also i tried to use 6.38.5 and 6.34.1

Any ideas? Is it a bug?

I dont think its a bug, better say its incompatibility. Question is, if mikrotik guys will be willing to get it working or not.

I’ve tried to send email message to Mikrotik support with supout file and pcap between RB and my CA. Hope they will find solution. If they find I post it here.

let me know then, thanks!

It was found that GET request for SCEP is not working properly.
SCEP-client when sending request should add “pkiclient.exe” (in accordance with RFC). For example
GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=“blablabla” HTTP/1.0
RB client send something like /certsrv/mscep/mscep.dll?operation=PKIOperation&message=…
It tries to use HTTP Post message instead of GET. Unfortunately HTTP Post is optional feature and CA servers are not obliged to support it (in accordance with RFC). As a result they can’t communicate to each other.

Mikrotik support (support@mikrotik.com) gave me an answer they will fix GET request in next ROS version. At that moment we have 6.40 (stable version) and 6.41rc6 (Release candidate).
Hope we won’t have to wait for to long.

ooh! Thank you!

Looks like 6.41rc9 has the fix for this. Remember that release will migrate your device to the new VLAN aware bridges and away from switch chip (master-port) configurations.

I got this firmware from support. Unfortunately result is the same. Waiting for solution.

Im going to test. Now is the release candidate available to download and in the release log:

*) certificate - fixed SCEP “get” request URL encoding;

Please, give your feedback after test. For me nothing changed. Packet sniff shows me the same picture.
Support go on thinking.

hm, so I did some tests with new 6.41rc11 with almost same results.

mikrotik:

/certificate> add common-name=mkay.test.com name=mkay.test.com state=CZ 
/certificate> add-scep template=mkay.test.com scep-url="http://1xx.1yy.2zz.15/cgi-bin/pkicli
ent.exe" name=mkay.test.com

mikrotik debug:

12:19:09 certificate,debug resuming job: first enroll 
12:19:09 certificate,debug,packet encoding message type: PKCS#10 request (19) 
12:19:09 certificate,debug,packet transaction: 518fed88f4d6fe491c06ea101080a2b3c845f8f94f8264b71c5981f118e4aa65 
12:19:09 certificate,debug,packet sender nonce: 5f68b1b7f3755c2c324a14fc8cf3bc5b 
12:19:09 certificate,debug doing GET request: PKIOperation 
12:19:09 certificate,debug,packet 474554202f6367692d62696e2f706b69636c69656e742e6578653f6f7065726174696f6e3d504b4
94f7065726174696f6e266d6573736167653d4d49494a25326251594a4b6f5a496876634e415163436f49494a366a43434365594341514578
437a414a4267557244674d43476755414d4949454141594a4b6f5a496876634
....
....
....
12:19:09 certificate,debug,packet 447776724774457264455a7759376149795336346e31317739776d6644383548395335683579677
1394125336425336420485454502f312e310d0a486f73743a203130392e3132332e3231392e31350d0a557365722d4167656e743a204d696b
726f74696b2f362e7820534345500d0a436f6e6e656374696f6e3a20636c6f73 
12:19:09 certificate,debug,packet 650d0a0d0a 
12:19:09 certificate,debug pki decode failed 
12:19:09 certificate,error reply decode failed: 1 
12:19:09 certificate,error scep client failure: requesting-certificate-failed 
12:19:10 certificate,debug trust store

Cisco debug:

Aug 14 09:59:01.850: CRYPTO_PKI_SCEP: CS received GetCACaps request
Aug 14 09:59:01.850: CRYPTO_PKI_SCEP: CA sending list of capabilites (GetNextCACert Renewal SHA2 hashes)
Aug 14 09:59:01.850: CRYPTO_CS: Capabilities sent
Aug 14 09:59:01.858: CRYPTO_PKI_SCEP: CS received SCEP GetCACert request
Aug 14 09:59:01.858: CRYPTO_PKI_SCEP: CS sending CA certificate
Aug 14 09:59:01.858: CRYPTO_CS: CA certificate sent
Aug 14 09:59:02.714: CRYPTO_PKI_SCEP: CS received PKIOperation request
Aug 14 09:59:02.714: CRYPTO_CS: processing SCEP request, 3420 bytes
Aug 14 09:59:02.714: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_11507
Aug 14 09:59:02.714: P11:C_CreateObject:
Aug 14 09:59:02.714:  CKA_CLASS: PUBLIC KEY
Aug 14 09:59:02.718:  CKA_KEY_TYPE: RSA
Aug 14 09:59:02.718:  CKA_MODULUS:
     D2 C3 C9 84 A1....................
     ..................................

Aug 14 09:59:02.718:  CKA_PUBLIC_EXPONENT:  01 00 01

Aug 14 09:59:02.718:  CKA_VERIFY_RECOVER:  01

Aug 14 09:59:02.718:  CRYPTO_PKI: Deleting cached key having key id 13242
Aug 14 09:59:02.718:  CRYPTO_PKI: Attempting to insert the peer's public key into cache
Aug 14 09:59:02.718:  CRYPTO_PKI:Peer's public inserted successfully with key id 13243
Aug 14 09:59:02.718: P11:C_CreateObject: 144315
Aug 14 09:59:02.718: P11:C_GetMechanismInfo slot 1 type 3 (invalid mechanism)
Aug 14 09:59:02.718: P11:C_GetMechanismInfo slot 1 type 1
Aug 14 09:59:02.718: P11:C_VerifyRecoverInit - 144315
Aug 14 09:59:02.718: P11:C_VerifyRecover - 144315
Aug 14 09:59:02.718: P11:found pubkey in cache using index = 13243
Aug 14 09:59:02.718: P11:public key found is :
     30 82 01 22 30 ....................
     ...........................

Aug 14 09:59:02.726: P11:CEAL:CRYPTO_NO_ERR
Aug 14 09:59:02.726: P11:C_DestroyObject 1:233BB
Aug 14 09:59:02.726:  CRYPTO_PKI: Expiring peer's cached key with key id 13243
Aug 14 09:59:02.726: CRYPTO_CS: scep msg type - 19
Aug 14 09:59:02.726: CRYPTO_CS: trans id - e45ff488f785bfd2a0352118ab4bd998e86c7952555c35dfc4702289e13fe1a3
Aug 14 09:59:02.730: P11:C_GetTokenInfo Slot 1
Aug 14 09:59:02.730: P11:C_GetTokenInfo Slot 1
Aug 14 09:59:02.730: P11:C_GetAttributeValue:
Aug 14 09:59:02.730:  CKA_MODULUS:

Aug 14 09:59:02.730: P11:C_GetAttributeValue:
Aug 14 09:59:02.730:  CKA_MODULUS:

Aug 14 09:59:02.730: P11:C_GetMechanismInfo slot 1 type 1
Aug 14 09:59:02.730: P11:C_DecryptInit
Aug 14 09:59:02.730: P11:C_Decrypt
Aug 14 09:59:02.770: P11:CEAL:CRYPTO_NO_ERR
Aug 14 09:59:02.770: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_11507
Aug 14 09:59:02.770: CRYPTO_PKI_SCEP: Received message is PKCSReq
Aug 14 09:59:02.770: CRYPTO_CS: received an enrollment request
Aug 14 09:59:02.770: CRYPTO_CS: Enrollment request cannot be found in erdbase corresponding to trans id e45ff488f785bfd2a0352118ab4bd998e86c7952555c35dfc4702289e13fe1a3
VPNHUB-CASA#
Aug 14 09:59:02.770: CRYPTO_CS: failed to set DER for PKCS 10
Aug 14 09:59:02.770: CRYPTO_CS: cannot parse the pkcs10 to get the required fields

Yes. The problem is not solved yet. Waiting for support team to find resolution.

It looks like support give this problem up. They ignore my messages.
Finally we can see RB can work only with Mikrotik CA (not Windows Server CA, Cisco CA etc.)

Its ALMOST working!! with the setup used in first post, I can see the Cisco now shows me PENDING request!! I can grant it, and then it died on Mikrotik with
nonce mismatch…

nov/22 00:44:11 certificate,debug,packet sender nonce: fbd3acb00da66df602ba8237e5f4e4a9
nov/22 00:44:11 certificate,debug,packet recipient nonce: f04469fa5d4f7f1ce1c2fe613a74ea71
nov/22 00:44:11 certificate,debug nonce mismatch
nov/22 00:44:11 certificate,error scep client failure: requesting-certificate-failed
nov/22 00:44:12 certificate,debug trust store updated