Also not able to Enroll with NDES, failure reason: Integrity check failed, illegal size of payload

[xl-gtf]

Hi there, I am facing a similar error as https://github.com/certnanny/sscep/issues/80, but when I pass it the certificates as suggested, using both -c and -e, I still get the error. ./sscep enroll -c ca.crt-0 -l cert.pem -k key.pem -r local.csr.txt -e ca.crt-1 -u http://[Server]/certsrv/mscep/mscep.dll -v -d yields: /sscep: finding attribute pkiStatus ./sscep: allocating 1 bytes for attribute ./sscep: pkistatus: FAILURE ./sscep: finding attribute failInfo ./sscep: allocating 1 bytes for attribute ./sscep: reason: Integrity check failed ./sscep: illegal size of payload

I have tried rearranging the 3 certificates around as parameters. ca.crt-0 can also be used for -e parameter, but if I replace or swap anything apart from that, error is reached before, so the certificates are arranges as best they can be.

It would seem, this is correct: ca.crt-0 Certificate for signing ca.crt-1 Certificate for encryption ca.crt-2 Certficate of CA that signed the NDES-Certificates

Can you help me to a solution or more debugging information?

Regards, Chr

[Sleepw4lker]

Have a look at this: https://www.gradenegger.eu/?p=10098 (you might need to translate it). Common failures i stumbled across are...

• Wrong or already-used Challenge password (triggers Event 29 on the NDES server)
• Challenge password is wrongly encoded (also triggers Event 29 on the NDES server). NDES expects the password to be encoded in PrintableString, OpenSSL defaults to UTF8 though... set string_mask = nombstr in your request config file under the [req] section)
• key size too small (triggers Event 31 on the NDES server)