we were retrieving Certificates using Windows Server 2012R2 based NDES-Server (SCEP)
Certificates can be installed using the following commands:
Code: Select all
certificate add name=MikroTik common-name=MikroTik key-usage=
certificate add-scep name=SECP template=MikroTik scep-url=http://10.0.1.121/certsrv/mscep/mscep.dll challenge-password=1234567DEADBEEF
The installed certificates after retrieving the signed certificate using the commands from above.
Code: Select all
[admin@MikroTik] > certificate print detail
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired,
T - trusted
0 K T name="SCEP2" issuer=DC=local,DC=ohp-test,CN=ohp-test-PKI02-CA digest-algorithm=sha512 key-type=rsa
common-name="MikroTik2_1" key-size=2048 subject-alt-name="" days-valid=330 trusted=yes
key-usage=digital-signature,key-encipherment scep-url="http://10.0.1.121/certsrv/mscep/mscep.dll"
serial-number="7E000000168D67A88DA7C7140A000000000016"
fingerprint="1e8bc023d8b86f694577a674db731fc64f8c5576e24e440d7ff11713c4742fec"
akid=d3584f19846c9715775f7b256fe35d7b32ca7ae1 skid=beef31e0c2eed95889966baa71048023f67b9af0
ca-fingerprint="2461e40ad855349cbb43575e0c15672474dd97d1995c3111ccd2b3fea9c226b1"
invalid-before=jul/05/2022 13:49:21 invalid-after=may/31/2023 15:36:29 expires-after=46w1h37m8s
challenge-password="" status="requesting-certificate-failed"
1 L T name="SCEP2_CA" issuer=CN=OHP-SCEP-RootCA digest-algorithm=sha512 key-type=rsa
common-name="ohp-test-PKI02-CA" key-size=4096 subject-alt-name="" days-valid=365 trusted=yes
key-usage=digital-signature,key-cert-sign,crl-sign
serial-number="2200000002ABD664D954FFEDDA000000000002"
fingerprint="2461e40ad855349cbb43575e0c15672474dd97d1995c3111ccd2b3fea9c226b1"
akid=b389f19ea6e6d96d3c9b4b2593dc778a26b5c126 skid=d3584f19846c9715775f7b256fe35d7b32ca7ae1
invalid-before=may/31/2022 15:26:29 invalid-after=may/31/2023 15:36:29 expires-after=46w1h37m8s
Code: Select all
[admin@MikroTik] > certificate scep-renew SCEP2
Code: Select all
14:02:41 certificate,debug resuming job: renew
14:02:42 certificate,debug,packet encoding message type: PKCS#10 request (19)
14:02:42 certificate,debug,packet transaction: 24944180c3b26c92fc22fc528e4cabf31f7c6b659e437d8fb75e714122c2bdcc
14:02:42 certificate,debug,packet sender nonce: 02bbf6b61722b1e5b15174d3e98835e5
14:02:42 certificate,debug doing GET request: PKIOperation
14:02:42 certificate,debug,packet 474554202f636572747372762f6d736365702f6d736365702e646c6c3f6f7065726174696f6e3d504b494f7065726174696f6e266d6573736167653d4d49494f6477594a4b6f5a496876634e415163436f49494f61444343446d514341514578447a414e42676c67686b67425a514d4541674546414443434256384743537147534962334451454841614343425641456767564d4d4949465341594a4b6f5a496876634e415163446f4949464f544343425455434151417867674a4e4d49494353514942414441784d426f784744415742674e5642414d544430394955433154513056514c564a7662335244515149544967414141414b72316d545a56502532
14:02:42 certificate,debug,packet 66743267414141414141416a414e42676b71686b6947397730424151454641415343416743434f4436253262524141446843672532667639454e333875746f796a253266326c6136325149344e4a3875733425326235704155797547534b5669375765477236323774316a753575304d734441776d4a36783772554a4a39494f453370414d375169495030784f51765965474a416e6b7638704e70586378313063713736314648366b6261376b523363306a6c6a4a4b4d3839784c352532664d6a7243314677775a57417576306446386a79595169706447364b5063413049514342395a415036306863583452687256386c3569652532662532664e4d70374d
14:02:42 certificate,debug,packet 6c4a38415a34345868526e5372664d6d7347615149614d66696a4a6972435137625631386357364a6577474a477a57714859495457574638587638417a415175337056414f615570474b53556f67765630744f5871306471586268554154745a744d572532626537484d50714e6e3462524a326164647a436c683064436172554963776868616544314425326225326235756c306436477a7573706a4e4f76786d4547504f4d7a72516b4573467056774a2532627a3943514c506646665630772532626c716d7a6f536d2532666f71776a3570684b6169697775554e68486855437a4632685a414673253262666d365242483331764f56476169416f3133684d
14:02:42 certificate,debug,packet 53635754764d4174703345774464253266554463784577713639577047556f43717871336b4b4e3873644b5079627468474d614750793125326256416a6f62704c38676851586e25326276573676794c524436554e456e483056714f586c46364158453679696243467a336b3676516942374b4c38696d6e2532665052695a70723636446132586d5446514c744d624c54374f41596a456a6d77664257714c376a4b55657844504d5449314252557778726133785866534979446b6234466e71253266765a4f64426a61534357534931544c637864714d474a4b785725326677524765434a49545435546e4f6772497a76474163414f446a4343417430474353
14:02:42 certificate,debug,packet 714753496233445145484154415542676771686b6947397730444277514966386a4a564a42544e53474167674b344544787568434139554a4d6a714e4a57765737446e6a4e7a364e79616969416f6c3553652532666a7a32496277614554387a5647436c6d536f7764714f327578436e50644b44596f6158585875754149504c53635773663739796c41705452596d716c57314d44554e5a33756837383625326652773359756e6c4f25326242665353764c41314a793643396b724f56393336664a6b507130564843417038664942725635744f593625326669423631595a632532623839384236364d71754c4a4452794e6b584d3562796450356d63696d31
14:02:42 certificate,debug,packet 4675534e71675936747859634c6d33333125326651513444504c3642727274475859594e704c6f4e3735306465765632545a45524f6356427339314d735275795348577542557657784331356525326642643258685349416e74705a766a307677594e62656d7a4634686f4978396835474342527661345a38356d4f4f49622532622532627977714951623656786c4b4e52253262754244777a67506c5977713870684559513161316c4c30795267784f6266412532626d4b4165664b714d453173387a354e76503770463964506c4c376b31544d4d59304e38634239525833636c674d5772376d2532626d4b39724b347a335478386b485730316430253266
14:02:42 certificate,debug,packet 55585a54645038386f39584a454c334e38554e4533643565576c7469504a6f35465562784657337a34384e6d733271537934564136666b593658487952566c72344f6c646272585065346765596877305233494f7a69596545635a3071706b4352636653385a32364a6247726c2532663655706b6f71524c41334354374a6f4b4b726468417a6173697462527777576268624e4e6743626d6b424a6564364859356c6768436f514f4748615764323549694752776c6c4941676a437a4332336f774338697a7166756e68686f57477a365a696231745048377342504a6c786f526b436c69724f73366c39336963326d58253266565a6949697a4965305a445144
14:02:42 certificate,debug,packet 6b2532666d7773436b5849784742655a656f4a33584e516f517153354c4c77386f6357694543436f785239344734686d45676c79776a547659716b6438645968356a427247466c714459386e4d33396858544f37325575757725326248703670586d496175525563253262594e43375032724a55746c3672643434546d745159524d70554574705033616159424c6b304336484f6f565a4d695a67584d37336c2532666d66686d514535316f76634c546f5870467a3862363333536f46364155634b7474446e79344e477966736548584450644977566e55547a523566395a6f4b72305561386c61643830577059444e25326657706e6f49494750444343426a
14:02:42 certificate,debug,packet 6777676751676f414d434151494345333441414141576a57656f6a61664846416f4141414141414259774451594a4b6f5a496876634e4151454e42514177545445564d424d4743676d534a6f6d543869786b41526b5742577876593246734d5267774667594b435a496d695a50794c47514247525949623268774c58526c63335178476a415942674e5642414d544557396f634331305a584e304c56424c535441794c554e424d423458445449794d4463774e54457a4e446b794d566f584454497a4d44557a4d5445314d7a59794f566f77466a45554d424947413155454177774c54576c72636d395561577379587a4577676745694d413047435371475349
14:02:42 certificate,debug,packet 6233445145424151554141344942447741776767454b416f49424151444c664a466948253266482532666e505454646754344c56475543595354304f746b33524e32734a4b4778394d796979563551466a25326276507176613456445a6a6432464964785177745a727571456c253262666e5045414a6b4178426f4f63636a62666d56675042253262634e6c6642546d74414a6a65436f47323269714c5344684e4672454f77547a72524f30306530656a6c72685035395425326232653068794a6d32513861525235514a4a576562595a747745625a75456e355a592532625756655934446164544a6472383139434c376a31723858753565383339324b614f
14:02:42 certificate,debug,packet 62623834253266415845725062316a253262667176563538645838774f624d5964335646484f694f46427a253262626b6a6153253266707638484175674b3476636b4376684a4c43666b487779357744615830506c6f495464474931314b6d4a77365a546451623569354946446c5a634b6f676954626f47517a59463134664e384448464a36516641674d424141476a67674a474d494943516a414f42674e56485138424166384542414d4342614177457759445652306c42417777436759494b7759424251554941674977485159445652304f42425945464c37764d65444337746c59695a5a72716e454567435032653572774d4238474131556449775159
14:02:42 certificate,debug,packet 4d426141464e4e5954786d45624a6356643139374a572532666a58587379796e72684d49485142674e5648523845676367776763557767634b676762253262676762794767626c735a4746774f6938764c304e4f5057396f634331305a584e304c56424c535441794c554e424c454e4f50584272615441794c454e4f50554e4555437844546a315164574a7361574d6c4d6a424c5a586b6c4d6a42545a584a3261574e6c63797844546a31545a584a3261574e6c63797844546a31446232356d61576431636d4630615739754c4552445057396f634331305a584e304c455244505778765932467350324e6c636e52705a6d6c6a5958526c556d563262324e68
14:02:42 certificate,debug,packet 64476c76626b7870633351253266596d467a5a543976596d706c593352446247467a637a316a556b784561584e30636d6c69645852706232355162326c7564444342786759494b775942425155484151454567626b776762597767624d474343734741515546427a4143686f476d6247526863446f764c793944546a3176614841746447567a6443315153306b774d69314451537844546a314253554573513034395548566962476c6a4a544977533256354a54497755325679646d6c6a5a584d735130343955325679646d6c6a5a584d7351303439513239755a6d6c6e64584a6864476c7662697845517a3176614841746447567a64437845517a31736232
14:02:42 certificate,debug,packet 4e686244396a51554e6c636e52705a6d6c6a5958526c50324a6863325525326662324a715a574e305132786863334d395932567964476c6d61574e6864476c76626b463164476876636d6c3065544125326642676b724267454541594933464149454d68347741456b4155414254414555415177424a414734416441426c414849416251426c4147514161514268414851415a514250414759415a67427341476b416267426c4d41304743537147534962334451454244515541413449434151414d674f6367554663354b50624b674f44464c31337477674741744e6c714a70717a694d5234576c6a6231495477354d704f64336c694f796164637445784233
14:02:42 certificate,debug,packet 577841726c374b5133656530376f42576931336525326249253266535570696a326275376e457559387544365674645625326244386f72644d645351504e777749764c49377341476f6a634c4c5647394f69446e6a644d6c6d68307971596c3076482532666425326661644b30437273454f3275796f32794a36724c41466b52755350696c4c25326635355333537442587a7661503532596658774274457a71617153676f6d5948565875633667573858253262486a6b4463633631676542475a77715a75487a723033673252556959744f6354733930534a615836253262356c63617a4845655356395a704268784f2532667845446a7769644e317030336f
14:02:42 certificate,debug,packet 66635a4e316825326654424172646c30543550634f77665865646b31333152505a484f513731654d6f79334433416d466b6f6370782532664f6e39516c4171364455474d72253262436a6e783164684830644c72416e523154717753454c494d595a683270794b43735352684b6c78434267384b736a66715541756f7641592532627162444533556c673745636c3555634576322532624c497a4f7863416d6576314c5170346c57633641586877513725326677303578663176627941304462625376657876645731445743364b6b7641704b4666365a477946674f4b31635054736e48473556775637684c335a25326244425854344963685246775376764b
14:02:42 certificate,debug,packet 55425049455343704b647159575a774876693068304c5a724731654c577158646c53393166695362454b6f4a684370707249496235645030616c32253266356c396b645a4f48517173444c687747514371544e534b53696c616e70654b4c746c41536d7a4254474d696f764e4c30646325326666536e3055474e6d64556a584a4b6b6159554e3550545342597545517a474341716b7767674b6c416745424d475177545445564d424d4743676d534a6f6d543869786b41526b5742577876593246734d5267774667594b435a496d695a50794c47514247525949623268774c58526c63335178476a415942674e5642414d544557396f634331305a584e304c56
14:02:42 certificate,debug,packet 424c535441794c554e4241684e25326241414141466f316e7149326e7878514b41414141414141574d413047435743475341466c41775143415155416f494942466a415142677067686b67426876684641516b474d5149454144415242677067686b67426876684641516b444d514d54415441774567594b59495a49415962345251454a416a4545457749784f54415942676b71686b69473977304243514d784377594a4b6f5a496876634e415163424d42774743537147534962334451454a42544550467730794d6a41334d544d784e4441794e444a614d434147436d43475341474725326245554243515578456751514172763274686369736557785558
14:02:42 certificate,debug,packet 5454365967313554417642676b71686b694739773042435151784967516765316e4d53634b7770663957384e6c69774a475a38314b654a434e78526b7632642532664e516a593355767949775541594b59495a49415962345251454a427a4643453041794e446b304e4445344d474d7a596a4932597a6b795a6d4d794d6d5a6a4e5449345a54526a59574a6d4d7a466d4e324d32596a59314f5755304d7a646b4f475a694e7a566c4e7a45304d544979597a4a695a474e6a4d413047435371475349623344514542415155414249494241424d444a58646d445979614975374359353434574a393570592532666d64584972316f534e61585a4430427a766258
14:02:42 certificate,debug,packet 5a713462393745313979713825326256567663336d4c747537364673313945645a4767524c504a696e6368344d37514433585078326550794b6253574355674777706d72737170347553762532626833572532627925326678784b6d4278364e3133253266674971446144322532627955752532663975584e6470326f6845356c4a477425326277416136574e4659756c356f253262455252377349766f55776a57654377394d612532664e527557324b6f636f42376943796641323647324d58736577303955757269365a70736d64664350596b77736e564f6259754f355a5a646b765a4567736939526e4173752532626d597355716e65354a5225326655
14:02:42 certificate,debug,packet 67563432787969775a5666775271684b4b5a444f344475423032322532626b7a5539526c7236474c6a7344416278446f67436c586b797a6d587a51745255647a45464125336420485454502f312e310d0a486f73743a2031302e302e312e3132310d0a436f6e6e656374696f6e3a20636c6f73650d0a757365722d6167656e743a204d696b726f74696b2f362e7820534345500d0a0d0a
14:02:42 certificate,debug,packet reply:
14:02:42 certificate,debug,packet 308202f206092a864886f70d010702a08202e3308202df020101310b300906052b0e03021a0500301006092a864886f70d010701a003040100318202b9308202b50201013064304d31153013060a0992268993f22c64011916056c6f63616c31183016060a0992268993f22c64011916086f68702d74657374311a3018060355040313116f68702d746573742d504b4930322d434102137e0000000553e1308d2bb1b9ca000000000005300906052b0e03021a0500a082012a3011060a6086480186f84501090231031301333011060a6086480186f84501090331031301323011060a6086480186f8450109043103130131301806092a864886f70d01090331
14:02:42 certificate,debug,packet 0b06092a864886f70d010701301a06092b0601040182371521310d130b2d323134363839333831393020060a6086480186f84501090531120410f0743a33e52752458dbf5a9aab1085ea3020060a6086480186f8450109063112041002bbf6b61722b1e5b15174d3e98835e5302306092a864886f70d010904311604145ba93c9db0cff93f52b521d7420e43f6eda2784f3050060a6086480186f8450109073142134032343934343138306333623236633932666332326663353238653463616266333166376336623635396534333764386662373565373134313232633262646363300d06092a864886f70d01010105000482010012533467a125f9d7b9dd
14:02:42 certificate,debug,packet 2b6f4d55a873a9ad64fd9d942f70f382f88ac823bd0de29dc9bec93f6bef1bf972d35215f3afb973e918b42444f94409278c0d57d376be0f3f38eca12f0441ff2672ec2c598f99635a891174498f251156a0fb21792f94da6e9118f534c384abcc5c9b74e180d9dada2852c381d8ea20b485ffdb4d4160cb6db9b3b037028801429bba8b8003f65f6308e334d4fecf8a5dfb870aa1ed9d0dc35b4e59f84f4798013da0bb12a3d9e46f3f67d129fc593708e6328872c9dd141d38b31f28169ea74aa0232ffe61bf95108af1ea1a56cfec737daf32a257b67c96feeae05fd48e4dc21a96dbded557a3fdeed319218623e6409eb87b929e
14:02:42 certificate,debug signed attribute signature not matching
14:02:42 certificate,debug signature verify failed
14:02:42 certificate,error reply decode failed: 1
14:02:42 certificate,error scep client failure: requesting-certificate-failed
14:02:43 certificate,debug trust store updated
Request invalid - No passwort, or request is not signed with an issued certificate.
I use the SCEP with sscep (https://github.com/certnanny/sscep), and renewal is working. But I needed to use specific certificates that were provided by the SCEP server to sign the request.
Anyone using certificate renewal with SCEP?
To MikroTik Support:
How is the actual request to SCEP server generated?
Is it signed with some of the certificates from RA?
Is it possible to pass a new One Time Key to scep-renew parameter that is included in the generated renewal request?
Thanks in advance.
Kind regards,
Sebastian