SCEP provisioner for enrollment with Cisco routers

[pedroaston]

Context

Hi there! I'm new to smallstep CA and started recently using it in an NSP Network Lab environment for enrollment with Cisco routers. Cisco IOS-XR routers use SCEP for CA enrollment.

I've already made some small experiences by using step-ca certificates for enabling https for some internal webpages, but my main goal with smallstep is to sign routers' RSA keys to enable gRPC-TLS communication between routers and data collectors.

Problem

Currently I have a simple setup with the default config options on the CA running locally on a VM. I tried adding the SCEP provisioner by following the docs example (https://smallstep.com/docs/step-ca/provisioners#scep) but once I reload the step-ca and insert the private key i have the following error ...

something tells me that I'm missing something, but at first glance from reading the docs I cannot say what...

Thanks in advance 😃

[maraino]

CC @hslatman

[hslatman]

Hey @pedroaston, am I correct you were using the CA generated by default before you tried enabling SCEP? If so, you'll need to create a new intermediate (at least the intermediate; it can be signed by the root that was generated before) for an RSA private key. Our SCEP configuration requires an RSA key, as the SCEP protocol relies on encryption against the CA public key. We have some documentation on how to configure the SCEP provisioner here: https://smallstep.com/docs/step-ca/provisioners#scep. Reconfiguring your CA to use an RSA certificate chain is described here: https://smallstep.com/docs/tutorials/rsa-chain.

If you did follow these instructions before, then it might be the case that you've used a different password to encrypt the new intermediate RSA key. Since you're trying this out, the simplest workaround is to create a new RSA key for the intermediate and use the same password the CA is already configured to use.

That said, the error message you encountered is not super great. I'll have a look at making that more user friendly. Do you know if the step-ca process continued running, or did it exit?

[pedroaston]

Hello @hslatman. Indeed i did forget this step (RSA keychain). I will still need to make some tests regarding the scep provisioner functionality, but that solved the issue above.

Regarding the error message i presented above, the step-ca did not shutdown.

Another thing that i don't understand is why after configuring the provisioner i have to insert the password 3 times when launching the ca. And the prompt was the same every time. The pass i used was not the provisioner's but the intermediate ca's one.

Thanks for the feedback 😃

[hslatman]

Hey @pedroaston,

Thank you for reporting this. I haven't come across this issue myself before. That's because I usually set the password in the ca.json file, so that the prompt doesn't appear. It's also possible to use --password-file to provide the password.

The issue seems to be that the intermediate_ca_key is read three times by one of our libraries in different code paths (twice more for the SCEP functionality compared to the default of one time). It is provided with an empty password (if not set in ca.json or using --password-file), resulting in the underlying library prompting for the password. I'll see if I can make it reuse the password after passing it for the first time.