Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad Request error when GetCRL (Transaction not permitted or supported) #59

Open
tctran opened this issue Apr 26, 2016 · 7 comments
Open

Bad Request error when GetCRL (Transaction not permitted or supported) #59

tctran opened this issue Apr 26, 2016 · 7 comments

Comments

@tctran
Copy link

tctran commented Apr 26, 2016
edited
Loading

I can download .crl file via option available in a web browser (http://a.b.c.d/certsrv/....). But when I use sscep, the server response back with Bad Request status and sscep prints out this "illegal size of payload" line.

/* If FAILURE or PENDING, we can return /
if (s->pki_status != SCEP_PKISTATUS_SUCCESS) {
/ There shouldn't be any more data... */
if (v_flag && (used != 0)) {
fprintf(stderr, "%s: illegal size of payload \n", pname);
}
return (0);
}

Is it because something is wrong on the server side or the client side? I'm using Microsoft Server 2012 R2. Here is the log:

oem@oem-XPS-13-9343:~/Downloads/sscep-master/out$ ./sscep_static getcrl -f sscep.conf -c ca.crt-0 -e ca.crt-1 -d -l local.crt -k local.key -w crl.crl
./sscep_static: No engine section specified, not loading an engine
./sscep_static: starting sscep, version 0.6.1
./sscep_static: new transaction
./sscep_static: transaction id: SSCEP transactionId
./sscep_static: hostname: 134.134.161.77
./sscep_static: directory: certsrv/mscep/mscep.dll
./sscep_static: port: 80
./sscep_static: Pivate key local.key could not be loaded via engine, trying file load
./sscep_static: Found private key local.key as file. If the engine can handle it, loading the file
./sscep_static: SCEP_OPERATION_GETCRL
./sscep_static: requesting crl
./sscep_static: request data dump
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
./sscep_static: data payload size: 188 bytes

./sscep_static: hexdump request payload
3081b93081a1310b3009060355040613025553310f300d060355040813064f7265676f6e311230100603550407130948696c6c73626f726f311a3018060355040a131154435420456e7465727461696e6d656e7431123010060355040b13094d61726b6574696e67311d301b0603550403131454494e412d4c4150544f502d4d534345502d5241311e301c06092a864886f70d010901160f696e666f4074687579656e2e636f6d02131000000002a9090c98e58cc18d000000000002
./sscep_static: hexdump payload 188
./sscep_static: successfully encrypted payload
./sscep_static: envelope size: 656 bytes
./sscep_static: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIICjAYJKoZIhvcNAQcDoIICfTCCAnkCAQAxggGOMIIBigIBADByMFsxFTATBgoJ
kiaJk/IsZAEZFgVsb2NhbDEcMBoGCgmSJomT8ixkARkWDHRodXllbmRvbWFpbjEk
MCIGA1UEAxMbdGh1eWVuZG9tYWluLVRJTkEtTEFQVE9QLUNBAhMQAAAAA+KigikE
l4SdAAAAAAADMA0GCSqGSIb3DQEBAQUABIIBAKQEGu+wY7Ix5E7yoiJlA1lU7gvH
rn4L0s71KyVmFFI+d2Fg4Gj8xA/Ch4ZLfBU3/RP+EZwpEi7ZNQHTa9SiemjXDiol
2nWcT17fLFlV47T26+GjtKeDLyOUmsKMeV7OYplF8K9yTf+zByxtptS/MGK77p+3
z4+DhC4al1AqSIXR+eij5otd7vLshcbvFDcEiPu4vzzSY7F3iipsL7/DZ0eddgwN
bvANpWM/VIEI+C+Tk7cjwmlKpbP1DDuMR5O1WxY/vXl2Ufq5z2U0t13KZnNTazfH
iAmCuNRQrFeblzl9IdfcNW22kZFTwBEmf63c3lrbcfAHTQXP/SBukkrnJdwwgeEG
CSqGSIb3DQEHATARBgUrDgMCBwQI+yVLetGIleGAgcBYbji590f5w4tS0K9/y4LU
tfQYWrhN0ark7dgKtCbRMGKy1Qy7WAAU9xjNUI+HBDeXc4kL38Yp68dsKpV3yZwU
iJZR15R4C7swYwsWaS+ublNphmoW5PbP77dcKZm68dEJe4hD0ZJ0eB61HVVuOIoD
WUTeepKNMqy+9durSdhMT6ZbiJc6SnfstCzQm/A+iepOYdZHXcOJ6pMvJwA8pMLT
84b3pzNHaAqPggrelYE+3nGyOw5ErHhW+Ps4hHmxbNo=
-----END PKCS7-----
./sscep_static: creating outer PKCS#7
./sscep_static: signature added successfully
./sscep_static: adding signed attributes
./sscep_static: adding string attribute transId
./sscep_static: adding string attribute messageType
./sscep_static: adding octet attribute senderNonce
./sscep_static: PKCS#7 data written successfully
./sscep_static: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIILiwYJKoZIhvcNAQcCoIILfDCCC3gCAQExDjAMBggqhkiG9w0CBQUAMIICowYJ
KoZIhvcNAQcBoIIClASCApAwggKMBgkqhkiG9w0BBwOgggJ9MIICeQIBADGCAY4w
ggGKAgEAMHIwWzEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRwwGgYKCZImiZPyLGQB
GRYMdGh1eWVuZG9tYWluMSQwIgYDVQQDExt0aHV5ZW5kb21haW4tVElOQS1MQVBU
T1AtQ0ECExAAAAAD4qKCKQSXhJ0AAAAAAAMwDQYJKoZIhvcNAQEBBQAEggEApAQa
77BjsjHkTvKiImUDWVTuC8eufgvSzvUrJWYUUj53YWDgaPzED8KHhkt8FTf9E/4R
nCkSLtk1AdNr1KJ6aNcOKiXadZxPXt8sWVXjtPbr4aO0p4MvI5Sawox5Xs5imUXw
r3JN/7MHLG2m1L8wYrvun7fPj4OELhqXUCpIhdH56KPmi13u8uyFxu8UNwSI+7i/
PNJjsXeKKmwvv8NnR512DA1u8A2lYz9UgQj4L5OTtyPCaUqls/UMO4xHk7VbFj+9
eXZR+rnPZTS3Xcpmc1NrN8eICYK41FCsV5uXOX0h19w1bbaRkVPAESZ/rdzeWttx
8AdNBc/9IG6SSucl3DCB4QYJKoZIhvcNAQcBMBEGBSsOAwIHBAj7JUt60YiV4YCB
wFhuOLn3R/nDi1LQr3/LgtS19BhauE3RquTt2Aq0JtEwYrLVDLtYABT3GM1Qj4cE
N5dziQvfxinrx2wqlXfJnBSIllHXlHgLuzBjCxZpL65uU2mGahbk9s/vt1wpmbrx
0Ql7iEPRknR4HrUdVW44igNZRN56ko0yrL7126tJ2ExPpluIlzpKd+y0LNCb8D6J
6k5h1kddw4nqky8nADykwtPzhvenM0doCo+CCt6VgT7ecbI7DkSseFb4+ziEebFs
2qCCBmMwggZfMIIFR6ADAgECAhMQAAAAHE6vDm6Jy+dMAAAAAAAcMA0GCSqGSIb3
DQEBBQUAMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEcMBoGCgmSJomT8ixkARkW
DHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9tYWluLVRJTkEtTEFQVE9Q
LUNBMB4XDTE2MDQyNjAxNTczNVoXDTE3MDQyNjAyMDczNVowEjEQMA4GA1UEAxMH
MS4yLjMuNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMqfsuu41bo
Cci+gneVv7kwdFt9H9mAZcfbu5AOlFubXHNyRh1EYGjunRg9oEruSWVi411FBm4/
ojFPOqxI86PP0L6rV2aOMHBQXfMuruMUOHOQoIqiO1mniAwieR6D1LmFbNtKGK35
LxcUMHNiitrjN7pVgdjvAS8O1V5Ja6EnR2T3YioBBcD2y0iUsqf3bcMz0aRD5TXc
t4h62t1ptGmeNz6FCa3rtIHPH2WiJz0hD10U56xsrSFQb4ky5mNe7N4yn0dcc0zj
6CRNpSFhoPKa8obFq9ByHcue+vXxpUHD/La2m8u+rAWE3NgXAH5TOXzLob1YALhR
ik/HeHnMYXMCAwEAAaOCA2MwggNfMBIGA1UdEQEB/wQIMAaHBAECAwQwHQYDVR0O
BBYEFDKWdyaqBZ1iLAqyLtE8WBM7aBx1MB8GA1UdIwQYMBaAFP1m4Lctkw5Y7PI6
8bCOERVdPCS3MIIBfwYDVR0fBIIBdjCCAXIwggFuoIIBaqCCAWaGgc1sZGFwOi8v
L0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1USU5BLUxBUFRPUCxD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y2VydGlmaWNh
dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
blBvaW50hlJmaWxlOi8vLy9USU5BLUxBUFRPUC50aHV5ZW5kb21haW4ubG9jYWwv
Q2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0EuY3JshkBodHRw
Oi8vMTM0LjEzNC4xNjEuNzcvQ2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1M
QVBUT1AtQ0EuY3JsMIIBQwYIKwYBBQUHAQEEggE1MIIBMTCBwQYIKwYBBQUHMAKG
gbRsZGFwOi8vL0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1BSUEs
Q049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln
dXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9i
YXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwawYIKwYBBQUH
MAKGX2h0dHA6Ly8xMzQuMTM0LjE2MS43Ny9DZXJ0RW5yb2xsL1RJTkEtTEFQVE9Q
LnRodXllbmRvbWFpbi5sb2NhbF90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0Eu
Y3J0MD8GCSsGAQQBgjcUAgQyHjAASQBQAFMARQBDAEkAbgB0AGUAcgBtAGUAZABp
AGEAdABlAE8AZgBmAGwAaQBuAGUwDQYJKoZIhvcNAQEFBQADggEBACi+VrhroWyl
NsOckstNvHH5ZmDJpiZ3EfsG/RJTQ5H/yaHhenGrmm2wpFPRT4wEMY8ap7QdW9iS
ncWddhhqaAxl5itlwHby9FaDILCqMOo1S7xOmizGQcI3HePTYJ8+wvRBGXtwkqCi
mufAG14b45fchDKxdbNYNVPfk7Kwd82Dp+3EecvsyCHciNLwZYbatFx4UNCYzR96
eaNz+V78ijJXuzxk814MEomCXHFzJsLKN43y2B+WZAdqvEKPNH7Wx+JGZy7zuHdx
W24/nIIerLnz2FyWUuwRqeJMoypIVNPLLCRZLXlc0kOmtahPg2t4BI/k+iQbAVmq
GkWOtOiIrdwxggJTMIICTwIBATByMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEc
MBoGCgmSJomT8ixkARkWDHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9t
YWluLVRJTkEtTEFQVE9QLUNBAhMQAAAAHE6vDm6Jy+dMAAAAAAAcMAwGCCqGSIb3
DQIFBQCggbQwEgYKYIZIAYb4RQEJAjEEEwIyMjAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MjYwMzU1NDdaMB8GCSqGSIb3DQEJ
BDESBBAsMdCacaEFeXURF4+3gz8QMCAGCmCGSAGG+EUBCQUxEgQQ5pZDOEy539RS
6Hp3pAxTnzAjBgpghkgBhvhFAQkHMRUTE1NTQ0VQIHRyYW5zYWN0aW9uSWQwDQYJ
KoZIhvcNAQEBBQAEggEAjLReOVEPZfp3RNa24yvaI9szNJ1ZR9aIBILhTZXeAr6W
8Fe/iUkA44ZwWwjQhp3Iwpfn/buk4Po+GvIDqzBPLVhXmzy5NV5WF/vcCg1LzL0j
ybnliPXtkaUfuj0TySPU+y9S7QV4oiQys13zdZSdRCVX1a1PlyScSfQp2C4Mu4MM
Zhioxs0K+uCmhGrP8HAmOCfLVuGfDfyIgJz1Gj7ronFOxWwPdZ2NdqkfyIz0I4jI
Ib0FilDsvDNTg3nA0wOHwNN1hZte5q4F6MKQVIyJ88LrdIQKORPeCblbBBsAemG0
l2xvHKiri3u/pAEndsrSJF81iMkUMQL+FQaK6Gs9bQ==
-----END PKCS7-----
./sscep_static: applying base64 encoding
./sscep_static: base64 encoded payload size: 4010 bytes
./sscep_static: scep msg: GET /certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIILiwYJKoZIhvcNAQcCoIILfDCCC3gCAQExDjAMBggqhkiG9w0CBQUAMIICowYJ%0AKoZIhvcNAQcBoIIClASCApAwggKMBgkqhkiG9w0BBwOgggJ9MIICeQIBADGCAY4w%0AggGKAgEAMHIwWzEVMBMGCgmSJomT8ixkARkWBWxvY2FsMRwwGgYKCZImiZPyLGQB%0AGRYMdGh1eWVuZG9tYWluMSQwIgYDVQQDExt0aHV5ZW5kb21haW4tVElOQS1MQVBU%0AT1AtQ0ECExAAAAAD4qKCKQSXhJ0AAAAAAAMwDQYJKoZIhvcNAQEBBQAEggEApAQa%0A77BjsjHkTvKiImUDWVTuC8eufgvSzvUrJWYUUj53YWDgaPzED8KHhkt8FTf9E/4R%0AnCkSLtk1AdNr1KJ6aNcOKiXadZxPXt8sWVXjtPbr4aO0p4MvI5Sawox5Xs5imUXw%0Ar3JN/7MHLG2m1L8wYrvun7fPj4OELhqXUCpIhdH56KPmi13u8uyFxu8UNwSI%2B7i/%0APNJjsXeKKmwvv8NnR512DA1u8A2lYz9UgQj4L5OTtyPCaUqls/UMO4xHk7VbFj%2B9%0AeXZR%2BrnPZTS3Xcpmc1NrN8eICYK41FCsV5uXOX0h19w1bbaRkVPAESZ/rdzeWttx%0A8AdNBc/9IG6SSucl3DCB4QYJKoZIhvcNAQcBMBEGBSsOAwIHBAj7JUt60YiV4YCB%0AwFhuOLn3R/nDi1LQr3/LgtS19BhauE3RquTt2Aq0JtEwYrLVDLtYABT3GM1Qj4cE%0AN5dziQvfxinrx2wqlXfJnBSIllHXlHgLuzBjCxZpL65uU2mGahbk9s/vt1wpmbrx%0A0Ql7iEPRknR4HrUdVW44igNZRN56ko0yrL7126tJ2ExPpluIlzpKd%2By0LNCb8D6J%0A6k5h1kddw4nqky8nADykwtPzhvenM0doCo%2BCCt6VgT7ecbI7DkSseFb4%2BziEebFs%0A2qCCBmMwggZfMIIFR6ADAgECAhMQAAAAHE6vDm6Jy%2BdMAAAAAAAcMA0GCSqGSIb3%0ADQEBBQUAMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEcMBoGCgmSJomT8ixkARkW%0ADHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9tYWluLVRJTkEtTEFQVE9Q%0ALUNBMB4XDTE2MDQyNjAxNTczNVoXDTE3MDQyNjAyMDczNVowEjEQMA4GA1UEAxMH%0AMS4yLjMuNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALMqfsuu41bo%0ACci%2BgneVv7kwdFt9H9mAZcfbu5AOlFubXHNyRh1EYGjunRg9oEruSWVi411FBm4/%0AojFPOqxI86PP0L6rV2aOMHBQXfMuruMUOHOQoIqiO1mniAwieR6D1LmFbNtKGK35%0ALxcUMHNiitrjN7pVgdjvAS8O1V5Ja6EnR2T3YioBBcD2y0iUsqf3bcMz0aRD5TXc%0At4h62t1ptGmeNz6FCa3rtIHPH2WiJz0hD10U56xsrSFQb4ky5mNe7N4yn0dcc0zj%0A6CRNpSFhoPKa8obFq9ByHcue%2BvXxpUHD/La2m8u%2BrAWE3NgXAH5TOXzLob1YALhR%0Aik/HeHnMYXMCAwEAAaOCA2MwggNfMBIGA1UdEQEB/wQIMAaHBAECAwQwHQYDVR0O%0ABBYEFDKWdyaqBZ1iLAqyLtE8WBM7aBx1MB8GA1UdIwQYMBaAFP1m4Lctkw5Y7PI6%0A8bCOERVdPCS3MIIBfwYDVR0fBIIBdjCCAXIwggFuoIIBaqCCAWaGgc1sZGFwOi8v%0AL0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1USU5BLUxBUFRPUCxD%0ATj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049%0AQ29uZmlndXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y2VydGlmaWNh%0AdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv%0AblBvaW50hlJmaWxlOi8vLy9USU5BLUxBUFRPUC50aHV5ZW5kb21haW4ubG9jYWwv%0AQ2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0EuY3JshkBodHRw%0AOi8vMTM0LjEzNC4xNjEuNzcvQ2VydEVucm9sbC90aHV5ZW5kb21haW4tVElOQS1M%0AQVBUT1AtQ0EuY3JsMIIBQwYIKwYBBQUHAQEEggE1MIIBMTCBwQYIKwYBBQUHMAKG%0AgbRsZGFwOi8vL0NOPXRodXllbmRvbWFpbi1USU5BLUxBUFRPUC1DQSxDTj1BSUEs%0AQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmln%0AdXJhdGlvbixEQz10aHV5ZW5kb21haW4sREM9bG9jYWw/Y0FDZXJ0aWZpY2F0ZT9i%0AYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwawYIKwYBBQUH%0AMAKGX2h0dHA6Ly8xMzQuMTM0LjE2MS43Ny9DZXJ0RW5yb2xsL1RJTkEtTEFQVE9Q%0ALnRodXllbmRvbWFpbi5sb2NhbF90aHV5ZW5kb21haW4tVElOQS1MQVBUT1AtQ0Eu%0AY3J0MD8GCSsGAQQBgjcUAgQyHjAASQBQAFMARQBDAEkAbgB0AGUAcgBtAGUAZABp%0AAGEAdABlAE8AZgBmAGwAaQBuAGUwDQYJKoZIhvcNAQEFBQADggEBACi%2BVrhroWyl%0ANsOckstNvHH5ZmDJpiZ3EfsG/RJTQ5H/yaHhenGrmm2wpFPRT4wEMY8ap7QdW9iS%0AncWddhhqaAxl5itlwHby9FaDILCqMOo1S7xOmizGQcI3HePTYJ8%2BwvRBGXtwkqCi%0AmufAG14b45fchDKxdbNYNVPfk7Kwd82Dp%2B3EecvsyCHciNLwZYbatFx4UNCYzR96%0AeaNz%2BV78ijJXuzxk814MEomCXHFzJsLKN43y2B%2BWZAdqvEKPNH7Wx%2BJGZy7zuHdx%0AW24/nIIerLnz2FyWUuwRqeJMoypIVNPLLCRZLXlc0kOmtahPg2t4BI/k%2BiQbAVmq%0AGkWOtOiIrdwxggJTMIICTwIBATByMFsxFTATBgoJkiaJk/IsZAEZFgVsb2NhbDEc%0AMBoGCgmSJomT8ixkARkWDHRodXllbmRvbWFpbjEkMCIGA1UEAxMbdGh1eWVuZG9t%0AYWluLVRJTkEtTEFQVE9QLUNBAhMQAAAAHE6vDm6Jy%2BdMAAAAAAAcMAwGCCqGSIb3%0ADQIFBQCggbQwEgYKYIZIAYb4RQEJAjEEEwIyMjAYBgkqhkiG9w0BCQMxCwYJKoZI%0AhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA0MjYwMzU1NDdaMB8GCSqGSIb3DQEJ%0ABDESBBAsMdCacaEFeXURF4%2B3gz8QMCAGCmCGSAGG%2BEUBCQUxEgQQ5pZDOEy539RS%0A6Hp3pAxTnzAjBgpghkgBhvhFAQkHMRUTE1NTQ0VQIHRyYW5zYWN0aW9uSWQwDQYJ%0AKoZIhvcNAQEBBQAEggEAjLReOVEPZfp3RNa24yvaI9szNJ1ZR9aIBILhTZXeAr6W%0A8Fe/iUkA44ZwWwjQhp3Iwpfn/buk4Po%2BGvIDqzBPLVhXmzy5NV5WF/vcCg1LzL0j%0AybnliPXtkaUfuj0TySPU%2By9S7QV4oiQys13zdZSdRCVX1a1PlyScSfQp2C4Mu4MM%0AZhioxs0K%2BuCmhGrP8HAmOCfLVuGfDfyIgJz1Gj7ronFOxWwPdZ2NdqkfyIz0I4jI%0AIb0FilDsvDNTg3nA0wOHwNN1hZte5q4F6MKQVIyJ88LrdIQKORPeCblbBBsAemG0%0Al2xvHKiri3u/pAEndsrSJF81iMkUMQL%2BFQaK6Gs9bQ%3D%3D%0A HTTP/1.0

./sscep_static: server returned status code 200
./sscep_static: MIME header: x-pki-message
./sscep_static: valid response from server
./sscep_static: reading outer PKCS#7
./sscep_static: PKCS#7 payload size: 726 bytes
./sscep_static: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIC0gYJKoZIhvcNAQcCoIICwzCCAr8CAQExCzAJBgUrDgMCGgUAMBAGCSqGSIb3
DQEHAaADBAEAMYICmTCCApUCAQEwcjBbMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwx
HDAaBgoJkiaJk/IsZAEZFgx0aHV5ZW5kb21haW4xJDAiBgNVBAMTG3RodXllbmRv
bWFpbi1USU5BLUxBUFRPUC1DQQITEAAAAAKpCQyY5YzBjQAAAAAAAjAJBgUrDgMC
GgUAoIH9MBEGCmCGSAGG+EUBCQIxAxMBMzARBgpghkgBhvhFAQkDMQMTATIwEQYK
YIZIAYb4RQEJBDEDEwEyMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwGgYJKwYB
BAGCNxUhMQ0TCy0yMTQ2ODg1NjIzMCAGCmCGSAGG+EUBCQUxEgQQNQpK+ap3iEuu
Aymeo46njDAgBgpghkgBhvhFAQkGMRIEEOaWQzhMud/UUuh6d6QMU58wIwYJKoZI
hvcNAQkEMRYEFFupPJ2wz/k/UrUh10IOQ/btonhPMCMGCmCGSAGG+EUBCQcxFRMT
U1NDRVAgdHJhbnNhY3Rpb25JZDANBgkqhkiG9w0BAQEFAASCAQCCpdozv4TGA/n7
zhoFf56k7JxjSXAykmUjnKIcNjLL6tuJRwmAe39VICSQLVy2lx3fO7DCc/FJB6b+
awg57riEgNlQPmhmiphzkJNmm7LYFkDe+FAFg+1Ru9zvlpNEbUw7elhrR3z79URL
WHhJ7yi6O49Erea9AaOhY5KlYsBvEtfZ0bf9GkQUah48iNJKARTj0pB1udy7gOm2
wof/iuhIYIAzP3JFiJtsoMIp9vze8imtgfiXck67twyJ9UuHEw0mAOhrjFSlXXDU
uGz3KG4Bj3tb1NHnOBliXclbJCK2UufXLQIRioCGB322TTlYpzCP2cJOFl9hTTVK
YVBzVaz7
-----END PKCS7-----
./sscep_static: PKCS#7 contains 1 bytes of enveloped data
./sscep_static: verifying signature
./sscep_static: signature ok
./sscep_static: finding signed attributes
./sscep_static: finding attribute transId
./sscep_static: allocating 19 bytes for attribute
./sscep_static: reply transaction id: SSCEP transactionId
./sscep_static: finding attribute messageType
./sscep_static: allocating 1 bytes for attribute
./sscep_static: reply message type is good
./sscep_static: finding attribute senderNonce
./sscep_static: allocating 16 bytes for attribute
./sscep_static: senderNonce in reply: 350A4AF9AA77884BAE03299EA38EA78C
./sscep_static: finding attribute recipientNonce
./sscep_static: allocating 16 bytes for attribute
./sscep_static: recipientNonce in reply: E69643384CB9DFD452E87A77A40C539F
./sscep_static: finding attribute pkiStatus
./sscep_static: allocating 1 bytes for attribute
./sscep_static: pkistatus: FAILURE
./sscep_static: finding attribute failInfo
./sscep_static: allocating 1 bytes for attribute
./sscep_static: reason: Transaction not permitted or supported
./sscep_static: illegal size of payload
@tctran tctran changed the title Bad Request error when GetCRL Bad Request error when GetCRL (Transaction not permitted or supported) Apr 26, 2016
@luzik
Copy link

luzik commented Jan 30, 2017

same here but only when enroll and CSR contain challenge password :

`sscep enroll -c /opt/data/ipsec.d/cacerts/8021x.pem-0 -e /opt/data/ipsec.d/cacerts/8021x.pem-1 -k /opt/data/8021x_user.key -r /tmp/csrjUI4RN -l /opt/data/8021x_user.crt -u http://X.X.X.X/certsrv/mscep/mscep.dll -d -v
sscep: starting sscep, version 0.6.1
sscep: new transaction
sscep: transaction id: D41D8CD98F00B204E9800998ECF8427E
sscep: hostname: X.X.X.X
sscep: directory: certsrv/mscep/mscep.dll
sscep: port: 80
sscep: Read request with transaction id: 9CB1CB998B7FCC0142297B492988AFB4
sscep: generating selfsigned certificate
sscep: SCEP_OPERATION_ENROLL
sscep: sending certificate request
sscep: creating inner PKCS#7
sscep: inner PKCS#7 in mem BIO
sscep: request data dump
-----BEGIN CERTIFICATE REQUEST-----
MIICdDCCAVwCAQAwGzELMAkGA1UEBhMCUEwxDDAKBgNVBAMMA2FzZDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANezLqhWLC5OIphQJiMyjKzAtMQ558wG
mJFiI0rq0Q1qY714BHPsLNiK6cllGmc7vxQvpHElLvRt7NQtOFVojQhBhNcUQo5B
OZ2HzkmUnGLMr0A/ANsFiFrVd365x0PTAwXUB+AZRrpIhFTvlLPCKaE4dgI8srYS
ZjZtSZxBJV9cnIYI/k6SUFWUqFqoUjSX8JXWYWTxO5oYIs2Vg+5iUWQ4hvWRwtrT
V6fgjd1QWgNWKcvG2zSyssdZG2gw/nS99uIsemxEdUQeiEypjUA5nMclwxvXc7nz
AgBAQGaijmDoadbnCqRC6+ZUg9jnwds/ob+cjhqaYorMFcMKSYnBXv0CAwEAAaAU
MBIGCSqGSIb3DQEJBzEFDANnZ2cwDQYJKoZIhvcNAQELBQADggEBAMKHc/bQ4yhE
7H1dcu+oTIrl42gstl9jTNIi9zR936qTetxT8ux0GGswuSIcRl+54FeUCnuBTqC8
ndxLalV6fF1GePPHVx8ELEFsuSylI6ParLwZ3AMDKR4UUF2J/ZwyfUQ31UTh5St9
ARNRh6mWq/pns93l6cmm8+h+aRBbpobowEmG0QF6GE+W9P0f16BO1+YnhRf5jmnG
0lrs8BufScyIa5+PSYxg3HwFrJV8Ld2dXl1kxsilGDhUpFnRg1yJLD8GTI1JtfCl
ElE+ROcMs2dXTojx2YR6T4XTPZmV+7z2FZwKoSeScdzJ9ivs4EBOIzCSOu5FSopm
XwUJovX4iwk=
-----END CERTIFICATE REQUEST-----
sscep: data payload size: 632 bytes

sscep: hexdump request payload
308202743082015c020100301b310b300906035504061302504c310c300a06035504030c0361736430820122300d06092a864886f70d01010105000382010f003082010a0282010100d7b32ea8562c2e4e2298502623328cacc0b4c439e7cc06989162234aead10d6a63bd780473ec2cd88ae9c9651a673bbf142fa471252ef46decd42d3855688d084184d714428e41399d87ce49949c62ccaf403f00db05885ad5777eb9c743d30305d407e01946ba488454ef94b3c229a13876023cb2b61266366d499c41255f5c9c8608fe4e92505594a85aa8523497f095d66164f13b9a1822cd9583ee6251643886f591c2dad357a7e08ddd505a035629cbc6db34b2b2c7591b6830fe74bdf6e22c7a6c4475441e884ca98d40399cc725c31bd773b9f30200404066a28e60e869d6e70aa442ebe65483d8e7c1db3fa1bf9c8e1a9a628acc15c30a4989c15efd0203010001a014301206092a864886f70d01090731050c03676767300d06092a864886f70d01010b05000382010100c28773f6d0e32844ec7d5d72efa84c8ae5e3682cb65f634cd222f7347ddfaa937adc53f2ec74186b30b9221c465fb9e057940a7b814ea0bc9ddc4b6a557a7c5d4678f3c7571f042c416cb92ca523a3daacbc19dc0303291e14505d89fd9c327d4437d544e1e52b7d01135187a996abfa67b3dde5e9c9a6f3e87e69105ba686e8c04986d1017a184f96f4fd1fd7a04ed7e6278517f98e69c6d25aecf01b9f49cc886b9f8f498c60dc7c05ac957c2ddd9d5e5d64c6c8a5183854a459d1835c892c3f064c8d49b5f0a512513e44e70cb367574e88f1d9847a4f85d33d9995fbbcf6159c0aa1279271dcc9f62bece0404e2330923aee454a8a665f0509a2f5f88b09
sscep: hexdump payload 632
sscep: successfully encrypted payload
sscep: envelope size: 1036 bytes
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIECAYJKoZIhvcNAQcDoIID+TCCA/UCAQAxggFIMIIBRAIBADAsMBUxEzARBgNV
BAMTClNSVjIwMTItQ0ECE3kAAAAD7uelozElaQIAAAAAAAMwDQYJKoZIhvcNAQEB
BQAEggEAGY/NeJ85W2VVsY6oCDc+8URkEaubxfVd/sqcJNB2XxI3iASKuTmNUhyh
lxYyc7xQCRDG6+lSiH2nsYlxbtkzq50If+p4X+IY60Fe4/thFnfJkhDb/seMYboj
CH9P8AdoENkiE0Ms3GWRxCxxjYA1pb0djG5aXwOE5RkaXJ24bm1y3WUYbaCp0OuB
i9G3jXK7Fnwwu2ayoRfAqKBsuV2Uqd00SXiXRiCB9E9JbNQpo26cZnge80jzrkhF
fELAdlcQeejML8NyyF7arhETJ9v5guq/P/1ofOQdqo1gW5hO7K9fIer0Cr4epG5k
GMRazgIqV/SELxfDnLBSAJ0OA8Q69jCCAqIGCSqGSIb3DQEHATARBgUrDgMCBwQI
iugPqrWkhBaAggKAUF/Qn8RDV1lqxRqSGszOwm/lUhK62OyJ0MLvkktAL5bkIfVS
YWDbjkACsiJ7JVyz04I181XxXm+tRHTkXccpjP3SRcDc952F1vc8DYud3FAoPRpm
xDcrHnaXcr7LMh2tCiujlpLJdqTk2SY4rmxBctE45Su+UhiVXwloclYfpmFyzIbM
edBVcS0bacIrTs7bLpCDxIs+ISnf7zf1qzuuffPNCy3tYt6IoyNxlUVR1VNRpMt4
iTQuQj7HVddzRAipitpdrOQXYhxECE3FVDyHH5I+ZwyeleJ675cPfJpAZvPZKRYz
R4KpF1wD2ksjFKYs/SW27jidDQ8iQvPN7O02rW49J8Rk3zo89gLc9x94NgNoGujP
sBHBlgGLSalPKIacCL4p8IDU64VOgcuXTCHuBuPdjmJ8Oao0FiOVGaNyd/mFCPXe
28BWBV0zygMO+RN8Uyl4PuOwKC6Z2YAYIHRotXA3s/oLX252quSnscdRMlAaeQs3
tPyJJO+RRpCn1wWAeUE9vezloUgOCSNJ8yh7+q3F3qIdkJH/+gWuy9oFKeQh7zLW
cE6m1M0DmfzKgB3maQMTzJWbwL/YMp4cxo8Q+kVLOKDVVweMEpehdvvM3DD3pWgn
dNGAcAVHKjGlyatZhI4B4EBd6n+07nV5R1n8RygNJ37NSCIU5OEMcKizQ3iDwsHW
6164VeA5eXIoOVJhITlrg+iByfxF1DRTlGrCaEv8Y4sagda306dSY7eYkLrlPsNA
d9L83TNEqhWpaHjKo92fLGOgI7x/44V7QMlmhR4w1OOqpm0R8ZcsKYsypOuWYg5s
CkdKunt82ithc/SF9y8Vd8IAqE+cgAqXIAxLtw==
-----END PKCS7-----
sscep: creating outer PKCS#7
sscep: signature added successfully
sscep: adding signed attributes
sscep: adding string attribute transId
sscep: adding string attribute messageType
sscep: adding octet attribute senderNonce
sscep: PKCS#7 data written successfully
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIIJUAYJKoZIhvcNAQcCoIIJQTCCCT0CAQExDjAMBggqhkiG9w0CBQUAMIIEHwYJ
KoZIhvcNAQcBoIIEEASCBAwwggQIBgkqhkiG9w0BBwOgggP5MIID9QIBADGCAUgw
ggFEAgEAMCwwFTETMBEGA1UEAxMKU1JWMjAxMi1DQQITeQAAAAPu56WjMSVpAgAA
AAAAAzANBgkqhkiG9w0BAQEFAASCAQAZj814nzlbZVWxjqgINz7xRGQRq5vF9V3+
ypwk0HZfEjeIBIq5OY1SHKGXFjJzvFAJEMbr6VKIfaexiXFu2TOrnQh/6nhf4hjr
QV7j+2EWd8mSENv+x4xhuiMIf0/wB2gQ2SITQyzcZZHELHGNgDWlvR2MblpfA4Tl
GRpcnbhubXLdZRhtoKnQ64GL0beNcrsWfDC7ZrKhF8CooGy5XZSp3TRJeJdGIIH0
T0ls1CmjbpxmeB7zSPOuSEV8QsB2VxB56Mwvw3LIXtquERMn2/mC6r8//Wh85B2q
jWBbmE7sr18h6vQKvh6kbmQYxFrOAipX9IQvF8OcsFIAnQ4DxDr2MIICogYJKoZI
hvcNAQcBMBEGBSsOAwIHBAiK6A+qtaSEFoCCAoBQX9CfxENXWWrFGpIazM7Cb+VS
ErrY7InQwu+SS0AvluQh9VJhYNuOQAKyInslXLPTgjXzVfFeb61EdORdxymM/dJF
wNz3nYXW9zwNi53cUCg9GmbENysedpdyvssyHa0KK6OWksl2pOTZJjiubEFy0Tjl
K75SGJVfCWhyVh+mYXLMhsx50FVxLRtpwitOztsukIPEiz4hKd/vN/WrO659880L
Le1i3oijI3GVRVHVU1Gky3iJNC5CPsdV13NECKmK2l2s5BdiHEQITcVUPIcfkj5n
DJ6V4nrvlw98mkBm89kpFjNHgqkXXAPaSyMUpiz9JbbuOJ0NDyJC883s7Tatbj0n
xGTfOjz2Atz3H3g2A2ga6M+wEcGWAYtJqU8ohpwIvinwgNTrhU6By5dMIe4G492O
Ynw5qjQWI5UZo3J3+YUI9d7bwFYFXTPKAw75E3xTKXg+47AoLpnZgBggdGi1cDez
+gtfbnaq5Kexx1EyUBp5Cze0/Ikk75FGkKfXBYB5QT297OWhSA4JI0nzKHv6rcXe
oh2Qkf/6Ba7L2gUp5CHvMtZwTqbUzQOZ/MqAHeZpAxPMlZvAv9gynhzGjxD6RUs4
oNVXB4wSl6F2+8zcMPelaCd00YBwBUcqMaXJq1mEjgHgQF3qf7TudXlHWfxHKA0n
fs1IIhTk4QxwqLNDeIPCwdbrXrhV4Dl5cig5UmEhOWuD6IHJ/EXUNFOUasJoS/xj
ixqB1rfTp1Jjt5iQuuU+w0B30vzdM0SqFaloeMqj3Z8sY6AjvH/jhXtAyWaFHjDU
46qmbRHxlywpizKk65ZiDmwKR0q6e3zaK2Fz9IX3LxV3wgCoT5yACpcgDEu3oIIC
0jCCAs4wggG2oAMCAQICIDlDQjFDQjk5OEI3RkNDMDE0MjI5N0I0OTI5ODhBRkI0
MA0GCSqGSIb3DQEBBAUAMBsxCzAJBgNVBAYTAlBMMQwwCgYDVQQDDANhc2QwHhcN
MTcwMTMwMjExNjQzWhcNMTcwMjA1MjMxNjQzWjAbMQswCQYDVQQGEwJQTDEMMAoG
A1UEAwwDYXNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA17MuqFYs
Lk4imFAmIzKMrMC0xDnnzAaYkWIjSurRDWpjvXgEc+ws2IrpyWUaZzu/FC+kcSUu
9G3s1C04VWiNCEGE1xRCjkE5nYfOSZScYsyvQD8A2wWIWtV3frnHQ9MDBdQH4BlG
ukiEVO+Us8IpoTh2AjyythJmNm1JnEElX1ychgj+TpJQVZSoWqhSNJfwldZhZPE7
mhgizZWD7mJRZDiG9ZHC2tNXp+CN3VBaA1Ypy8bbNLKyx1kbaDD+dL324ix6bER1
RB6ITKmNQDmcxyXDG9dzufMCAEBAZqKOYOhp1ucKpELr5lSD2OfB2z+hv5yOGppi
iswVwwpJicFe/QIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQB/7HD7HIr9IGvLEhHW
udz+ZKZ12nda51JxwOZhi4VGDtI/4ovqqkQ/rJCXRyvvlBuNX1MUCynDyn4K71Tm
UxJFPCynB0AMe8egHSDWUiz6cQ/TC7VkLpiPd/ukXPLabIipXEhWsd9CCD99nnOV
BheQD0PrNB2WB9Fke+kTi2Y0OJPsAeOeqNSheXuF+yGeAIY6/QHr8J1fj0FlGbOX
YgMKehSx0RsRCWeXJMYu4SeyYQATJsNPtcg4DD4B8ZbnOVkN1H0Acx0xkQTzVzD6
n6shAKpp/lLnjewcLpDlt1T76CSWzZdU6il2E9J/hYRODgfm8TGkn3mH4+FNYtSr
xNX0MYICLTCCAikCAQEwPzAbMQswCQYDVQQGEwJQTDEMMAoGA1UEAwwDYXNkAiA5
Q0IxQ0I5OThCN0ZDQzAxNDIyOTdCNDkyOTg4QUZCNDAMBggqhkiG9w0CBQUAoIHB
MBIGCmCGSAGG+EUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMTcwMTMwMjExNjQzWjAfBgkqhkiG9w0BCQQxEgQQuyew
BsTfWGxlsazjWyKQ6jAgBgpghkgBhvhFAQkFMRIEEBNvNvSjjsDJdO8QB6mrsisw
MAYKYIZIAYb4RQEJBzEiEyA5Q0IxQ0I5OThCN0ZDQzAxNDIyOTdCNDkyOTg4QUZC
NDANBgkqhkiG9w0BAQEFAASCAQAQbLL5JFoecumLzISqC5a0U0NolYEaEU6Tg1Vq
D9xz7vE4ffpJfrlA6AWxfoVElfENLQSaQA17LiEfBWrgYxixDtQLpS40KYI43AWL
OC6bmpMpcybZDjIaOhPv/mAXdMxHfX5PFSpv/8rv9TxcmlJic6OVPfHJLMtID+y+
R3fUed7PIgR3vtUQlAzUKgBTzetAk53C4kFeLCEQwQ+c4hCSyxDCBAaHbZyW+Y0A
N5acsiwk+ey63HG/x/CInFzTLmaWAbv2VfsZdSEOPz99GOFBfJCNlvjdX2sttJyQ
S4U0KqD2fjBDlQ//g9lr3RIw0RYA91/sWunlXT4pHLURjvkn
-----END PKCS7-----
sscep: applying base64 encoding
sscep: base64 encoded payload size: 3234 bytes
sscep: scep msg: GET /certsrv/mscep/mscep.dll?operation=PKIOperation&message=MIIJUAYJKoZIhvcNAQcCoIIJQTCCCT0CAQExDjAMBggqhkiG9w0CBQUAMIIEHwYJ%0AKoZIhvcNAQcBoIIEEASCBAwwggQIBgkqhkiG9w0BBwOgggP5MIID9QIBADGCAUgw%0AggFEAgEAMCwwFTETMBEGA1UEAxMKU1JWMjAxMi1DQQITeQAAAAPu56WjMSVpAgAA%0AAAAAAzANBgkqhkiG9w0BAQEFAASCAQAZj814nzlbZVWxjqgINz7xRGQRq5vF9V3%2B%0Aypwk0HZfEjeIBIq5OY1SHKGXFjJzvFAJEMbr6VKIfaexiXFu2TOrnQh/6nhf4hjr%0AQV7j%2B2EWd8mSENv%2Bx4xhuiMIf0/wB2gQ2SITQyzcZZHELHGNgDWlvR2MblpfA4Tl%0AGRpcnbhubXLdZRhtoKnQ64GL0beNcrsWfDC7ZrKhF8CooGy5XZSp3TRJeJdGIIH0%0AT0ls1CmjbpxmeB7zSPOuSEV8QsB2VxB56Mwvw3LIXtquERMn2/mC6r8//Wh85B2q%0AjWBbmE7sr18h6vQKvh6kbmQYxFrOAipX9IQvF8OcsFIAnQ4DxDr2MIICogYJKoZI%0AhvcNAQcBMBEGBSsOAwIHBAiK6A%2BqtaSEFoCCAoBQX9CfxENXWWrFGpIazM7Cb%2BVS%0AErrY7InQwu%2BSS0AvluQh9VJhYNuOQAKyInslXLPTgjXzVfFeb61EdORdxymM/dJF%0AwNz3nYXW9zwNi53cUCg9GmbENysedpdyvssyHa0KK6OWksl2pOTZJjiubEFy0Tjl%0AK75SGJVfCWhyVh%2BmYXLMhsx50FVxLRtpwitOztsukIPEiz4hKd/vN/WrO659880L%0ALe1i3oijI3GVRVHVU1Gky3iJNC5CPsdV13NECKmK2l2s5BdiHEQITcVUPIcfkj5n%0ADJ6V4nrvlw98mkBm89kpFjNHgqkXXAPaSyMUpiz9JbbuOJ0NDyJC883s7Tatbj0n%0AxGTfOjz2Atz3H3g2A2ga6M%2BwEcGWAYtJqU8ohpwIvinwgNTrhU6By5dMIe4G492O%0AYnw5qjQWI5UZo3J3%2BYUI9d7bwFYFXTPKAw75E3xTKXg%2B47AoLpnZgBggdGi1cDez%0A%2Bgtfbnaq5Kexx1EyUBp5Cze0/Ikk75FGkKfXBYB5QT297OWhSA4JI0nzKHv6rcXe%0Aoh2Qkf/6Ba7L2gUp5CHvMtZwTqbUzQOZ/MqAHeZpAxPMlZvAv9gynhzGjxD6RUs4%0AoNVXB4wSl6F2%2B8zcMPelaCd00YBwBUcqMaXJq1mEjgHgQF3qf7TudXlHWfxHKA0n%0Afs1IIhTk4QxwqLNDeIPCwdbrXrhV4Dl5cig5UmEhOWuD6IHJ/EXUNFOUasJoS/xj%0AixqB1rfTp1Jjt5iQuuU%2Bw0B30vzdM0SqFaloeMqj3Z8sY6AjvH/jhXtAyWaFHjDU%0A46qmbRHxlywpizKk65ZiDmwKR0q6e3zaK2Fz9IX3LxV3wgCoT5yACpcgDEu3oIIC%0A0jCCAs4wggG2oAMCAQICIDlDQjFDQjk5OEI3RkNDMDE0MjI5N0I0OTI5ODhBRkI0%0AMA0GCSqGSIb3DQEBBAUAMBsxCzAJBgNVBAYTAlBMMQwwCgYDVQQDDANhc2QwHhcN%0AMTcwMTMwMjExNjQzWhcNMTcwMjA1MjMxNjQzWjAbMQswCQYDVQQGEwJQTDEMMAoG%0AA1UEAwwDYXNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA17MuqFYs%0ALk4imFAmIzKMrMC0xDnnzAaYkWIjSurRDWpjvXgEc%2Bws2IrpyWUaZzu/FC%2BkcSUu%0A9G3s1C04VWiNCEGE1xRCjkE5nYfOSZScYsyvQD8A2wWIWtV3frnHQ9MDBdQH4BlG%0AukiEVO%2BUs8IpoTh2AjyythJmNm1JnEElX1ychgj%2BTpJQVZSoWqhSNJfwldZhZPE7%0AmhgizZWD7mJRZDiG9ZHC2tNXp%2BCN3VBaA1Ypy8bbNLKyx1kbaDD%2BdL324ix6bER1%0ARB6ITKmNQDmcxyXDG9dzufMCAEBAZqKOYOhp1ucKpELr5lSD2OfB2z%2Bhv5yOGppi%0AiswVwwpJicFe/QIDAQABMA0GCSqGSIb3DQEBBAUAA4IBAQB/7HD7HIr9IGvLEhHW%0Audz%2BZKZ12nda51JxwOZhi4VGDtI/4ovqqkQ/rJCXRyvvlBuNX1MUCynDyn4K71Tm%0AUxJFPCynB0AMe8egHSDWUiz6cQ/TC7VkLpiPd/ukXPLabIipXEhWsd9CCD99nnOV%0ABheQD0PrNB2WB9Fke%2BkTi2Y0OJPsAeOeqNSheXuF%2ByGeAIY6/QHr8J1fj0FlGbOX%0AYgMKehSx0RsRCWeXJMYu4SeyYQATJsNPtcg4DD4B8ZbnOVkN1H0Acx0xkQTzVzD6%0An6shAKpp/lLnjewcLpDlt1T76CSWzZdU6il2E9J/hYRODgfm8TGkn3mH4%2BFNYtSr%0AxNX0MYICLTCCAikCAQEwPzAbMQswCQYDVQQGEwJQTDEMMAoGA1UEAwwDYXNkAiA5%0AQ0IxQ0I5OThCN0ZDQzAxNDIyOTdCNDkyOTg4QUZCNDAMBggqhkiG9w0CBQUAoIHB%0AMBIGCmCGSAGG%2BEUBCQIxBBMCMTkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc%0ABgkqhkiG9w0BCQUxDxcNMTcwMTMwMjExNjQzWjAfBgkqhkiG9w0BCQQxEgQQuyew%0ABsTfWGxlsazjWyKQ6jAgBgpghkgBhvhFAQkFMRIEEBNvNvSjjsDJdO8QB6mrsisw%0AMAYKYIZIAYb4RQEJBzEiEyA5Q0IxQ0I5OThCN0ZDQzAxNDIyOTdCNDkyOTg4QUZC%0ANDANBgkqhkiG9w0BAQEFAASCAQAQbLL5JFoecumLzISqC5a0U0NolYEaEU6Tg1Vq%0AD9xz7vE4ffpJfrlA6AWxfoVElfENLQSaQA17LiEfBWrgYxixDtQLpS40KYI43AWL%0AOC6bmpMpcybZDjIaOhPv/mAXdMxHfX5PFSpv/8rv9TxcmlJic6OVPfHJLMtID%2By%2B%0AR3fUed7PIgR3vtUQlAzUKgBTzetAk53C4kFeLCEQwQ%2Bc4hCSyxDCBAaHbZyW%2BY0A%0AN5acsiwk%2Bey63HG/x/CInFzTLmaWAbv2VfsZdSEOPz99GOFBfJCNlvjdX2sttJyQ%0AS4U0KqD2fjBDlQ//g9lr3RIw0RYA91/sWunlXT4pHLURjvkn%0A HTTP/1.0

sscep: server returned status code 200
sscep: MIME header: x-pki-message
sscep: valid response from server
sscep: reading outer PKCS#7
sscep: PKCS#7 payload size: 670 bytes
sscep: printing PEM fomatted PKCS#7
-----BEGIN PKCS7-----
MIICmgYJKoZIhvcNAQcCoIICizCCAocCAQExCzAJBgUrDgMCGgUAMBAGCSqGSIb3
DQEHAaADBAEAMYICYTCCAl0CAQEwLDAVMRMwEQYDVQQDEwpTUlYyMDEyLUNBAhN5
AAAAAkiYSS6I+v76AAAAAAACMAkGBSsOAwIaBQCgggEKMBEGCmCGSAGG+EUBCQIx
AxMBMzARBgpghkgBhvhFAQkDMQMTATIwEQYKYIZIAYb4RQEJBDEDEwEyMBgGCSqG
SIb3DQEJAzELBgkqhkiG9w0BBwEwGgYJKwYBBAGCNxUhMQ0TCy0yMTQ3MDI0ODA5
MCAGCmCGSAGG+EUBCQUxEgQQg7fzGwMI9kqNGhc8L3193zAgBgpghkgBhvhFAQkG
MRIEEBNvNvSjjsDJdO8QB6mrsiswIwYJKoZIhvcNAQkEMRYEFFupPJ2wz/k/UrUh
10IOQ/btonhPMDAGCmCGSAGG+EUBCQcxIhMgOUNCMUNCOTk4QjdGQ0MwMTQyMjk3
QjQ5Mjk4OEFGQjQwDQYJKoZIhvcNAQEBBQAEggEAgocQOi8YTdY1GAfwbpQyahOa
uCiPbY6f4rbDPGVxXo/rSh5LCVBrqjOV7FPfdUOvAHq6NUtHWttpCduVLt4ZfqHF
tGRlcavzrYMf3mii413zTwMSoNZCwSNWDY4QSzWXus5QiKxfnVTAIK/AqxIyD5do
GNJGO4JSHMUdGrJW9TCLUu/x9sLNMsCpYpmSYwzKUZJ8DXQL2Ma4WGOjp54Sy6cV
JI9O4XPh8cTgi5uqfW2BGQZxXXS02IC6Gb+3Qy9Ylz/A0JQPF+ASnJsurABewcH5
V1DgvGwsRNesN+YHR8+OMUnk1bOZ0DjW9BH9yxttN23bOs/EClD+GkoLfCGGxQ==
-----END PKCS7-----
sscep: PKCS#7 contains 1 bytes of enveloped data
sscep: verifying signature
sscep: signature ok
sscep: finding signed attributes
sscep: finding attribute transId
sscep: allocating 32 bytes for attribute
sscep: reply transaction id: 9CB1CB998B7FCC0142297B492988AFB4
sscep: finding attribute messageType
sscep: allocating 1 bytes for attribute
sscep: reply message type is good
sscep: finding attribute senderNonce
sscep: allocating 16 bytes for attribute
sscep: senderNonce in reply: 83B7F31B0308F64A8D1A173C2F7D7DDF
sscep: finding attribute recipientNonce
sscep: allocating 16 bytes for attribute
sscep: recipientNonce in reply: 136F36F4A38EC0C974EF1007A9ABB22B
sscep: finding attribute pkiStatus
sscep: allocating 1 bytes for attribute
sscep: pkistatus: FAILURE
sscep: finding attribute failInfo
sscep: allocating 1 bytes for attribute
sscep: reason: Transaction not permitted or supported
sscep: illegal size of payload`

@QinLongFei
Copy link

I meet same issue. SECP always failed with "Transaction not permitted or supported" when I use challenge password.

Do you have some suggestion?

@thidalgosalvador
Copy link

I get the same error: "Transaction not permitted or supported".
This is my environment:

$cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

SCEP Server: Windows Server 2019 (version 1809 - Build 17763.1158)

$rpm -qi sscep
Name        : sscep
Version     : 0.6.1
Release     : 5.20160525git2052ee1.el7

$openssl version
OpenSSL 1.1.1a  20 Nov 2018

Command to generate the request:

/usr/bin/mkrequest -dns server001.mydomain.com BF760AD7B60D5107
Generating RSA private key, 1024 bit long modulus (2 primes)
.....+++++
....+++++
e is 65537 (0x010001)

The value of the enrollment challenge password is shown in the generated .CSR file.

        Attributes:
            challengePassword        :BF760AD7B60D5107

That value in ASN1 format:

openssl asn1parse -in ./local.csr
. . . .
  213:d=3  hl=2 l=  31 cons: SEQUENCE
  215:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
  226:d=4  hl=2 l=  18 cons: SET
  228:d=5  hl=2 l=  16 prim: UTF8STRING        :45DCFF774999846E
. . .

The command:

/usr/bin/sscep enroll \
-d -v \
-c ./cert_RA_DigSign.crt-0 \
-e ./cert_RA_Key_Encip.crt-1 \
-k local.key \
-r local.csr \
-l new_cert.crt \
-u 'http://serverNDES.mydomain.com/certsrv/mscep/mscep.dll/pkiclient.exe?'

/usr/bin/sscep: sending certificate request
/usr/bin/sscep: valid response from server
/usr/bin/sscep: reply transaction id: 7309C815BB99A129623FF2CE628E1C2E
/usr/bin/sscep: pkistatus: FAILURE
/usr/bin/sscep: reason: Transaction not permitted or supported

The following EventID is displayed in the event viewer of the NDES server:

Log Name:      Application
Source:        Microsoft-Windows-NetworkDeviceEnrollmentService
Date:          10/05/2020 19:35:37
Event ID:      29
Task Category: None
Level:         Error
Keywords:      
User:          mydomain\ndesservice
Computer:      serverNDES.mydomain.com
Description:
The password in the certificate request cannot be verified. 
It may have been used already. Obtain a new password to submit with this request.

With the verbose (-v) and debug (-d) options this information is displayed:

/usr/bin/sscep: PKCS#7 contains 1 bytes of enveloped data
/usr/bin/sscep: verifying signature
/usr/bin/sscep: signature ok
/usr/bin/sscep: finding signed attributes
/usr/bin/sscep: finding attribute transId
/usr/bin/sscep: allocating 32 bytes for attribute
/usr/bin/sscep: reply transaction id: 70CE500F34E8593D02BC1A030C3FC881
/usr/bin/sscep: finding attribute messageType
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: reply message type is good
/usr/bin/sscep: finding attribute senderNonce
/usr/bin/sscep: allocating 16 bytes for attribute
/usr/bin/sscep: senderNonce in reply: 5EA4F31BEA3B8349B81E57CE53BDCE49
/usr/bin/sscep: finding attribute recipientNonce
/usr/bin/sscep: allocating 16 bytes for attribute
/usr/bin/sscep: recipientNonce in reply: BEB01F6E1D056DC248453C6F96349F7E
/usr/bin/sscep: finding attribute pkiStatus
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: pkistatus: FAILURE
/usr/bin/sscep: finding attribute failInfo
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: reason: Transaction not permitted or supported
/usr/bin/sscep: illegal size of payload

Is it a problem in the coding of the password value in the sscep client?
Thanks!

@thidalgosalvador
Copy link

I get the same error: "Transaction not permitted or supported".
This is my environment:

$cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)

SCEP Server: Windows Server 2019 (version 1809 - Build 17763.1158)

$rpm -qi sscep
Name        : sscep
Version     : 0.6.1
Release     : 5.20160525git2052ee1.el7

$openssl version
OpenSSL 1.1.1a  20 Nov 2018

Command to generate the request:

/usr/bin/mkrequest -dns server001.mydomain.com BF760AD7B60D5107
Generating RSA private key, 1024 bit long modulus (2 primes)
.....+++++
....+++++
e is 65537 (0x010001)

The value of the enrollment challenge password is shown in the generated .CSR file.

        Attributes:
            challengePassword        :BF760AD7B60D5107

That value in ASN1 format:

openssl asn1parse -in ./local.csr
. . . .
  213:d=3  hl=2 l=  31 cons: SEQUENCE
  215:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
  226:d=4  hl=2 l=  18 cons: SET
  228:d=5  hl=2 l=  16 prim: UTF8STRING        :45DCFF774999846E
. . .

The command:

/usr/bin/sscep enroll \
-d -v \
-c ./cert_RA_DigSign.crt-0 \
-e ./cert_RA_Key_Encip.crt-1 \
-k local.key \
-r local.csr \
-l new_cert.crt \
-u 'http://serverNDES.mydomain.com/certsrv/mscep/mscep.dll/pkiclient.exe?'

/usr/bin/sscep: sending certificate request
/usr/bin/sscep: valid response from server
/usr/bin/sscep: reply transaction id: 7309C815BB99A129623FF2CE628E1C2E
/usr/bin/sscep: pkistatus: FAILURE
/usr/bin/sscep: reason: Transaction not permitted or supported

The following EventID is displayed in the event viewer of the NDES server:

Log Name:      Application
Source:        Microsoft-Windows-NetworkDeviceEnrollmentService
Date:          10/05/2020 19:35:37
Event ID:      29
Task Category: None
Level:         Error
Keywords:      
User:          mydomain\ndesservice
Computer:      serverNDES.mydomain.com
Description:
The password in the certificate request cannot be verified. 
It may have been used already. Obtain a new password to submit with this request.

With the verbose (-v) and debug (-d) options this information is displayed:

/usr/bin/sscep: PKCS#7 contains 1 bytes of enveloped data
/usr/bin/sscep: verifying signature
/usr/bin/sscep: signature ok
/usr/bin/sscep: finding signed attributes
/usr/bin/sscep: finding attribute transId
/usr/bin/sscep: allocating 32 bytes for attribute
/usr/bin/sscep: reply transaction id: 70CE500F34E8593D02BC1A030C3FC881
/usr/bin/sscep: finding attribute messageType
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: reply message type is good
/usr/bin/sscep: finding attribute senderNonce
/usr/bin/sscep: allocating 16 bytes for attribute
/usr/bin/sscep: senderNonce in reply: 5EA4F31BEA3B8349B81E57CE53BDCE49
/usr/bin/sscep: finding attribute recipientNonce
/usr/bin/sscep: allocating 16 bytes for attribute
/usr/bin/sscep: recipientNonce in reply: BEB01F6E1D056DC248453C6F96349F7E
/usr/bin/sscep: finding attribute pkiStatus
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: pkistatus: FAILURE
/usr/bin/sscep: finding attribute failInfo
/usr/bin/sscep: allocating 1 bytes for attribute
/usr/bin/sscep: reason: Transaction not permitted or supported
/usr/bin/sscep: illegal size of payload

Is it a problem in the coding of the password value in the sscep client?
Thanks!

To fix the error "Transaction not permitted or supported" I have performed the following steps:

Add in the [ req ] section this attribute/value string_mask = nombstr

. . . .
[ req ]
string_mask = nombstr
prompt = no
distinguished_name = req_distinguished_name

After this change, the challengePassword attribute is now a UTF8 value but PRINTABLESTRING

  213:d=3  hl=2 l=  31 cons: SEQUENCE
  215:d=4  hl=2 l=   9 prim: OBJECT            :challengePassword
  226:d=4  hl=2 l=  18 cons: SET
  228:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :D923E258C32B2BBB

When you run the command to request a new certificate by enrol

/usr/bin/sscep enroll -c ./padelCA.crt-0 -e ./padelCA.crt-1 -k local.key -r local.csr -l new_cert.crt -u 'http://serverNDES.mydomain.com/certsrv/mscep/mscep.dll/pkiclient.exe?'
/usr/bin/sscep: sending certificate request
/usr/bin/sscep: valid response from server
/usr/bin/sscep: reply transaction id: DC86A86EBF547F972BA42B42F2BE8534
/usr/bin/sscep: pkistatus: SUCCESS
[root@centos software]# ls new_cert.crt
new_cert.crt

The result is satisfactory and the .crt file is generated correctly.
More info: https://docs.microsoft.com/es-es/archive/blogs/jeffbutte/236

@thidalgosalvador
Copy link

HI QinLongFei,

Check out this document (https://docs.microsoft.com/es-es/archive/blogs/jeffbutte/236). At the end of it, it details a possible solution to this error. Personally, it has been solved for me.

@QinLongFei
Copy link

@thidalgosalvador , Thanks very much!

@juresaht2
Copy link

Apparently this can be a variety of different issues, and the Event log (Application) on the CA should be consulted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@luzik @QinLongFei @tctran @thidalgosalvador @juresaht2