search

micromdm / scep

Go SCEP server
MIT License
332 stars 128 forks source link

Juniper SRX Compatibility #208

Open xrpixer opened 2 years ago

xrpixer commented 2 years ago

Hello,

I've been working on Juniper SRX Auto VPNs, and am wanting a SCEP server that isn't windows. When trying to enroll a Juniper SRX, i'm getting a cannot decrypt data error -

level=info ts=2022-10-05T04:54:19.762209122Z caller=service_logging.go:47 component=scep
_service method=PKIOperation err="pkcs7: cannot decrypt data: only RSA, DES, DES-EDE3, A
ES-256-CBC and AES-128-GCM supported" took=698.34µs

level=info ts=2022-10-05T04:54:19.762850876Z caller=endpoint.go:186 op=PKIOperation erro
r=null took=1.355847ms

The SRX is using - SCEP Encryption Algorithm = DES3 SCEP Digest Algorithm = SHA1 Digest = SHA1

I've set the challenge password to something really simple and short to make sure that's correct, but still not getting any further. This is on a Debian 11 server, tested using both what's in the repo and the pre-compiled linux server from github.

Has anyone else given this a try? Seems like a great use case for Firewall SCEP, there's very few SCEP servers available that aren't a windows server.

Any help is appreciated, Thanks!

jessepeterson commented 2 years ago

Hello! That's interesting. Are you able to change the encryption algorithm that the SRX uses to talk to SCEP in any way? What does Juniper have to say about this issue?

xrpixer commented 2 years ago

I'm not sure exactly which part the SCEP server can't decrypt, but what the Juniper SRX has for options -

Digest:
> request security pki local-certificate enroll digest ?
Possible completions:
sha-1 SHA-1 digests (default value)
sha-256 SHA-256 digests

SCEP Digest:
> request security pki local-certificate enroll scep-digest-algorithm ?
Possible completions:
md5 MD-5 digest
sha1 SHA-1 digest (default)

SCEP Encryption:
> request security pki local-certificate enroll scep-encryption-algorithm ?
Possible completions:
des DES Encryption
des3 DES-3 Encryption (default)

Plus the key that it's using is an RSA key that's in DER format.

I've got a support ticket open with Juniper but they hasn't led anywhere so far.

t-jonesy commented 2 years ago

I was hoping to do the same, but it looks like it's not configurable on the SRX.

SCEP sends a PKCS #10 format certificate request enveloped in the PKCS #7 format.

from: https://supportportal.juniper.net/s/article/SRX-J-Series-Certificate-based-PKI-VPN-using-SCEP-Simple-Certificate-Enrollment-Protocol-in-a-Junos-device?language=en_US