Community discussions

MikroTik App
 
seho
newbie
Topic Author
Posts: 41
Joined: Fri Aug 09, 2013 11:05 am

Windows NDES /SCEP Certificate Renewal

Wed Jul 13, 2022 3:05 pm

Hi,

we were retrieving Certificates using Windows Server 2012R2 based NDES-Server (SCEP)

Certificates can be installed using the following commands:
certificate add name=MikroTik common-name=MikroTik key-usage= 
certificate add-scep name=SECP template=MikroTik  scep-url=http://10.0.1.121/certsrv/mscep/mscep.dll challenge-password=1234567DEADBEEF
But we also want to enable automatic renewal of the certificate. This is were our actual problem is.

The installed certificates after retrieving the signed certificate using the commands from above.
[admin@MikroTik] > certificate print detail 
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, 
T - trusted 
 0 K     T name="SCEP2" issuer=DC=local,DC=ohp-test,CN=ohp-test-PKI02-CA digest-algorithm=sha512 key-type=rsa 
           common-name="MikroTik2_1" key-size=2048 subject-alt-name="" days-valid=330 trusted=yes 
           key-usage=digital-signature,key-encipherment scep-url="http://10.0.1.121/certsrv/mscep/mscep.dll" 
           serial-number="7E000000168D67A88DA7C7140A000000000016" 
           fingerprint="1e8bc023d8b86f694577a674db731fc64f8c5576e24e440d7ff11713c4742fec" 
           akid=d3584f19846c9715775f7b256fe35d7b32ca7ae1 skid=beef31e0c2eed95889966baa71048023f67b9af0 
           ca-fingerprint="2461e40ad855349cbb43575e0c15672474dd97d1995c3111ccd2b3fea9c226b1" 
           invalid-before=jul/05/2022 13:49:21 invalid-after=may/31/2023 15:36:29 expires-after=46w1h37m8s 
           challenge-password="" status="requesting-certificate-failed" 

 1  L    T name="SCEP2_CA" issuer=CN=OHP-SCEP-RootCA digest-algorithm=sha512 key-type=rsa 
           common-name="ohp-test-PKI02-CA" key-size=4096 subject-alt-name="" days-valid=365 trusted=yes 
           key-usage=digital-signature,key-cert-sign,crl-sign 
           serial-number="2200000002ABD664D954FFEDDA000000000002" 
           fingerprint="2461e40ad855349cbb43575e0c15672474dd97d1995c3111ccd2b3fea9c226b1" 
           akid=b389f19ea6e6d96d3c9b4b2593dc778a26b5c126 skid=d3584f19846c9715775f7b256fe35d7b32ca7ae1 
           invalid-before=may/31/2022 15:26:29 invalid-after=may/31/2023 15:36:29 expires-after=46w1h37m8s 
I tried to do a renewal, at least I think I did. Unfortunenatly the documentation doesn't provide much about renewal.
[admin@MikroTik] > certificate scep-renew SCEP2
The log shows following output:
14:02:41 certificate,debug resuming job: renew 
14:02:42 certificate,debug,packet encoding message type: PKCS#10 request (19) 
14:02:42 certificate,debug,packet transaction: 24944180c3b26c92fc22fc528e4cabf31f7c6b659e437d8fb75e714122c2bdcc 
14:02:42 certificate,debug,packet sender nonce: 02bbf6b61722b1e5b15174d3e98835e5 
14:02:42 certificate,debug doing GET request: PKIOperation 
14:02:42 certificate,debug,packet 474554202f636572747372762f6d736365702f6d736365702e646c6c3f6f7065726174696f6e3d504b494f7065726174696f6e266d6573736167653d4d49494f6477594a4b6f5a496876634e415163436f49494f61444343446d514341514578447a414e42676c67686b67425a514d4541674546414443434256384743537147534962334451454841614343425641456767564d4d4949465341594a4b6f5a496876634e415163446f4949464f544343425455434151417867674a4e4d49494353514942414441784d426f784744415742674e5642414d544430394955433154513056514c564a7662335244515149544967414141414b72316d545a56502532 
14:02:42 certificate,debug,packet 66743267414141414141416a414e42676b71686b6947397730424151454641415343416743434f4436253262524141446843672532667639454e333875746f796a253266326c6136325149344e4a3875733425326235704155797547534b5669375765477236323774316a753575304d734441776d4a36783772554a4a39494f453370414d375169495030784f51765965474a416e6b7638704e70586378313063713736314648366b6261376b523363306a6c6a4a4b4d3839784c352532664d6a7243314677775a57417576306446386a79595169706447364b5063413049514342395a415036306863583452687256386c3569652532662532664e4d70374d 
14:02:42 certificate,debug,packet 6c4a38415a34345868526e5372664d6d7347615149614d66696a4a6972435137625631386357364a6577474a477a57714859495457574638587638417a415175337056414f615570474b53556f67765630744f5871306471586268554154745a744d572532626537484d50714e6e3462524a326164647a436c683064436172554963776868616544314425326225326235756c306436477a7573706a4e4f76786d4547504f4d7a72516b4573467056774a2532627a3943514c506646665630772532626c716d7a6f536d2532666f71776a3570684b6169697775554e68486855437a4632685a414673253262666d365242483331764f56476169416f3133684d 
14:02:42 certificate,debug,packet 53635754764d4174703345774464253266554463784577713639577047556f43717871336b4b4e3873644b5079627468474d614750793125326256416a6f62704c38676851586e25326276573676794c524436554e456e483056714f586c46364158453679696243467a336b3676516942374b4c38696d6e2532665052695a70723636446132586d5446514c744d624c54374f41596a456a6d77664257714c376a4b55657844504d5449314252557778726133785866534979446b6234466e71253266765a4f64426a61534357534931544c637864714d474a4b785725326677524765434a49545435546e4f6772497a76474163414f446a4343417430474353 
14:02:42 certificate,debug,packet 714753496233445145484154415542676771686b6947397730444277514966386a4a564a42544e53474167674b344544787568434139554a4d6a714e4a57765737446e6a4e7a364e79616969416f6c3553652532666a7a32496277614554387a5647436c6d536f7764714f327578436e50644b44596f6158585875754149504c53635773663739796c41705452596d716c57314d44554e5a33756837383625326652773359756e6c4f25326242665353764c41314a793643396b724f56393336664a6b507130564843417038664942725635744f593625326669423631595a632532623839384236364d71754c4a4452794e6b584d3562796450356d63696d31 
14:02:42 certificate,debug,packet 4675534e71675936747859634c6d33333125326651513444504c3642727274475859594e704c6f4e3735306465765632545a45524f6356427339314d735275795348577542557657784331356525326642643258685349416e74705a766a307677594e62656d7a4634686f4978396835474342527661345a38356d4f4f49622532622532627977714951623656786c4b4e52253262754244777a67506c5977713870684559513161316c4c30795267784f6266412532626d4b4165664b714d453173387a354e76503770463964506c4c376b31544d4d59304e38634239525833636c674d5772376d2532626d4b39724b347a335478386b485730316430253266 
14:02:42 certificate,debug,packet 55585a54645038386f39584a454c334e38554e4533643565576c7469504a6f35465562784657337a34384e6d733271537934564136666b593658487952566c72344f6c646272585065346765596877305233494f7a69596545635a3071706b4352636653385a32364a6247726c2532663655706b6f71524c41334354374a6f4b4b726468417a6173697462527777576268624e4e6743626d6b424a6564364859356c6768436f514f4748615764323549694752776c6c4941676a437a4332336f774338697a7166756e68686f57477a365a696231745048377342504a6c786f526b436c69724f73366c39336963326d58253266565a6949697a4965305a445144 
14:02:42 certificate,debug,packet 6b2532666d7773436b5849784742655a656f4a33584e516f517153354c4c77386f6357694543436f785239344734686d45676c79776a547659716b6438645968356a427247466c714459386e4d33396858544f37325575757725326248703670586d496175525563253262594e43375032724a55746c3672643434546d745159524d70554574705033616159424c6b304336484f6f565a4d695a67584d37336c2532666d66686d514535316f76634c546f5870467a3862363333536f46364155634b7474446e79344e477966736548584450644977566e55547a523566395a6f4b72305561386c61643830577059444e25326657706e6f49494750444343426a 
14:02:42 certificate,debug,packet 6777676751676f414d434151494345333441414141576a57656f6a61664846416f4141414141414259774451594a4b6f5a496876634e4151454e42514177545445564d424d4743676d534a6f6d543869786b41526b5742577876593246734d5267774667594b435a496d695a50794c47514247525949623268774c58526c63335178476a415942674e5642414d544557396f634331305a584e304c56424c535441794c554e424d423458445449794d4463774e54457a4e446b794d566f584454497a4d44557a4d5445314d7a59794f566f77466a45554d424947413155454177774c54576c72636d395561577379587a4577676745694d413047435371475349 
14:02:42 certificate,debug,packet 6233445145424151554141344942447741776767454b416f49424151444c664a466948253266482532666e505454646754344c56475543595354304f746b33524e32734a4b4778394d796979563551466a25326276507176613456445a6a6432464964785177745a727571456c253262666e5045414a6b4178426f4f63636a62666d56675042253262634e6c6642546d74414a6a65436f47323269714c5344684e4672454f77547a72524f30306530656a6c72685035395425326232653068794a6d32513861525235514a4a576562595a747745625a75456e355a592532625756655934446164544a6472383139434c376a31723858753565383339324b614f 
14:02:42 certificate,debug,packet 62623834253266415845725062316a253262667176563538645838774f624d5964335646484f694f46427a253262626b6a6153253266707638484175674b3476636b4376684a4c43666b487779357744615830506c6f495464474931314b6d4a77365a546451623569354946446c5a634b6f676954626f47517a59463134664e384448464a36516641674d424141476a67674a474d494943516a414f42674e56485138424166384542414d4342614177457759445652306c42417777436759494b7759424251554941674977485159445652304f42425945464c37764d65444337746c59695a5a72716e454567435032653572774d4238474131556449775159 
14:02:42 certificate,debug,packet 4d426141464e4e5954786d45624a6356643139374a572532666a58587379796e72684d49485142674e5648523845676367776763557767634b676762253262676762794767626c735a4746774f6938764c304e4f5057396f634331305a584e304c56424c535441794c554e424c454e4f50584272615441794c454e4f50554e4555437844546a315164574a7361574d6c4d6a424c5a586b6c4d6a42545a584a3261574e6c63797844546a31545a584a3261574e6c63797844546a31446232356d61576431636d4630615739754c4552445057396f634331305a584e304c455244505778765932467350324e6c636e52705a6d6c6a5958526c556d563262324e68 
14:02:42 certificate,debug,packet 64476c76626b7870633351253266596d467a5a543976596d706c593352446247467a637a316a556b784561584e30636d6c69645852706232355162326c7564444342786759494b775942425155484151454567626b776762597767624d474343734741515546427a4143686f476d6247526863446f764c793944546a3176614841746447567a6443315153306b774d69314451537844546a314253554573513034395548566962476c6a4a544977533256354a54497755325679646d6c6a5a584d735130343955325679646d6c6a5a584d7351303439513239755a6d6c6e64584a6864476c7662697845517a3176614841746447567a64437845517a31736232 
14:02:42 certificate,debug,packet 4e686244396a51554e6c636e52705a6d6c6a5958526c50324a6863325525326662324a715a574e305132786863334d395932567964476c6d61574e6864476c76626b463164476876636d6c3065544125326642676b724267454541594933464149454d68347741456b4155414254414555415177424a414734416441426c414849416251426c4147514161514268414851415a514250414759415a67427341476b416267426c4d41304743537147534962334451454244515541413449434151414d674f6367554663354b50624b674f44464c31337477674741744e6c714a70717a694d5234576c6a6231495477354d704f64336c694f796164637445784233 
14:02:42 certificate,debug,packet 577841726c374b5133656530376f42576931336525326249253266535570696a326275376e457559387544365674645625326244386f72644d645351504e777749764c49377341476f6a634c4c5647394f69446e6a644d6c6d68307971596c3076482532666425326661644b30437273454f3275796f32794a36724c41466b52755350696c4c25326635355333537442587a7661503532596658774274457a71617153676f6d5948565875633667573858253262486a6b4463633631676542475a77715a75487a723033673252556959744f6354733930534a615836253262356c63617a4845655356395a704268784f2532667845446a7769644e317030336f 
14:02:42 certificate,debug,packet 66635a4e316825326654424172646c30543550634f77665865646b31333152505a484f513731654d6f79334433416d466b6f6370782532664f6e39516c4171364455474d72253262436a6e783164684830644c72416e523154717753454c494d595a683270794b43735352684b6c78434267384b736a66715541756f7641592532627162444533556c673745636c3555634576322532624c497a4f7863416d6576314c5170346c57633641586877513725326677303578663176627941304462625376657876645731445743364b6b7641704b4666365a477946674f4b31635054736e48473556775637684c335a25326244425854344963685246775376764b 
14:02:42 certificate,debug,packet 55425049455343704b647159575a774876693068304c5a724731654c577158646c53393166695362454b6f4a684370707249496235645030616c32253266356c396b645a4f48517173444c687747514371544e534b53696c616e70654b4c746c41536d7a4254474d696f764e4c30646325326666536e3055474e6d64556a584a4b6b6159554e3550545342597545517a474341716b7767674b6c416745424d475177545445564d424d4743676d534a6f6d543869786b41526b5742577876593246734d5267774667594b435a496d695a50794c47514247525949623268774c58526c63335178476a415942674e5642414d544557396f634331305a584e304c56 
14:02:42 certificate,debug,packet 424c535441794c554e4241684e25326241414141466f316e7149326e7878514b41414141414141574d413047435743475341466c41775143415155416f494942466a415142677067686b67426876684641516b474d5149454144415242677067686b67426876684641516b444d514d54415441774567594b59495a49415962345251454a416a4545457749784f54415942676b71686b69473977304243514d784377594a4b6f5a496876634e415163424d42774743537147534962334451454a42544550467730794d6a41334d544d784e4441794e444a614d434147436d43475341474725326245554243515578456751514172763274686369736557785558 
14:02:42 certificate,debug,packet 5454365967313554417642676b71686b694739773042435151784967516765316e4d53634b7770663957384e6c69774a475a38314b654a434e78526b7632642532664e516a593355767949775541594b59495a49415962345251454a427a4643453041794e446b304e4445344d474d7a596a4932597a6b795a6d4d794d6d5a6a4e5449345a54526a59574a6d4d7a466d4e324d32596a59314f5755304d7a646b4f475a694e7a566c4e7a45304d544979597a4a695a474e6a4d413047435371475349623344514542415155414249494241424d444a58646d445979614975374359353434574a393570592532666d64584972316f534e61585a4430427a766258 
14:02:42 certificate,debug,packet 5a713462393745313979713825326256567663336d4c747537364673313945645a4767524c504a696e6368344d37514433585078326550794b6253574355674777706d72737170347553762532626833572532627925326678784b6d4278364e3133253266674971446144322532627955752532663975584e6470326f6845356c4a477425326277416136574e4659756c356f253262455252377349766f55776a57654377394d612532664e527557324b6f636f42376943796641323647324d58736577303955757269365a70736d64664350596b77736e564f6259754f355a5a646b765a4567736939526e4173752532626d597355716e65354a5225326655 
14:02:42 certificate,debug,packet 67563432787969775a5666775271684b4b5a444f344475423032322532626b7a5539526c7236474c6a7344416278446f67436c586b797a6d587a51745255647a45464125336420485454502f312e310d0a486f73743a2031302e302e312e3132310d0a436f6e6e656374696f6e3a20636c6f73650d0a757365722d6167656e743a204d696b726f74696b2f362e7820534345500d0a0d0a 
14:02:42 certificate,debug,packet reply: 
14:02:42 certificate,debug,packet 308202f206092a864886f70d010702a08202e3308202df020101310b300906052b0e03021a0500301006092a864886f70d010701a003040100318202b9308202b50201013064304d31153013060a0992268993f22c64011916056c6f63616c31183016060a0992268993f22c64011916086f68702d74657374311a3018060355040313116f68702d746573742d504b4930322d434102137e0000000553e1308d2bb1b9ca000000000005300906052b0e03021a0500a082012a3011060a6086480186f84501090231031301333011060a6086480186f84501090331031301323011060a6086480186f8450109043103130131301806092a864886f70d01090331 
14:02:42 certificate,debug,packet 0b06092a864886f70d010701301a06092b0601040182371521310d130b2d323134363839333831393020060a6086480186f84501090531120410f0743a33e52752458dbf5a9aab1085ea3020060a6086480186f8450109063112041002bbf6b61722b1e5b15174d3e98835e5302306092a864886f70d010904311604145ba93c9db0cff93f52b521d7420e43f6eda2784f3050060a6086480186f8450109073142134032343934343138306333623236633932666332326663353238653463616266333166376336623635396534333764386662373565373134313232633262646363300d06092a864886f70d01010105000482010012533467a125f9d7b9dd 
14:02:42 certificate,debug,packet 2b6f4d55a873a9ad64fd9d942f70f382f88ac823bd0de29dc9bec93f6bef1bf972d35215f3afb973e918b42444f94409278c0d57d376be0f3f38eca12f0441ff2672ec2c598f99635a891174498f251156a0fb21792f94da6e9118f534c384abcc5c9b74e180d9dada2852c381d8ea20b485ffdb4d4160cb6db9b3b037028801429bba8b8003f65f6308e334d4fecf8a5dfb870aa1ed9d0dc35b4e59f84f4798013da0bb12a3d9e46f3f67d129fc593708e6328872c9dd141d38b31f28169ea74aa0232ffe61bf95108af1ea1a56cfec737daf32a257b67c96feeae05fd48e4dc21a96dbded557a3fdeed319218623e6409eb87b929e 
14:02:42 certificate,debug signed attribute signature not matching 
14:02:42 certificate,debug signature verify failed 
14:02:42 certificate,error reply decode failed: 1 
14:02:42 certificate,error scep client failure: requesting-certificate-failed 
14:02:43 certificate,debug trust store updated 
And on the SCEP Server I can see an error message which says:
Request invalid - No passwort, or request is not signed with an issued certificate.

I use the SCEP with sscep (https://github.com/certnanny/sscep), and renewal is working. But I needed to use specific certificates that were provided by the SCEP server to sign the request.

Anyone using certificate renewal with SCEP?

To MikroTik Support:
How is the actual request to SCEP server generated?
Is it signed with some of the certificates from RA?
Is it possible to pass a new One Time Key to scep-renew parameter that is included in the generated renewal request?

Thanks in advance.

Kind regards,
Sebastian
 
psztoch
just joined
Posts: 6
Joined: Sun Mar 05, 2023 7:13 pm

Re: Windows NDES /SCEP Certificate Renewal

Sat Mar 18, 2023 1:22 am

I have problem with my Windows SCEP services with Mikrotik device too. On other device it works.

Mikrotik's documentation and examples should be made better.
Please add more information on https://help.mikrotik.com/docs/display/ROS/Certificates !

Who is online

Users browsing this forum: DeltaCreek, Fasder, korg, ptoump, TeWe, Victorvgw and 83 guests