Greg Foletta - Bits and Blobs

submited by
Style Pass
2024-07-11 00:00:03

Most of the posts on this site tend to be long form, a result of me finding it hard to leave stones unturned. This leads to big gaps between posts; in fact the the radio silence over the past nine months is because I’ve had two in draft form and haven’t been able to get them over the line.

As an antidote to this I’ve put together something a little more bite-size. In this post we’re going to crack open a Simple Certificate Enrollment Protocol (SCEP) request. We’ll do this on the command line, using the openssl tool peer underneath the hood, and get a good understanding of some of the structures, and the verification and encryption processes.

This SCEP request is actually two requests: the first returns an X509 CA certificate, and the second is the certificate request. We’ll see how the X509 certificate is used later on, but if we focus in on the second one we see the bulk of the request is passed in the message query parameter. I’ve copied the contents of this to a file named scep_message:

This message parameter contins the singing request, wrapped up like an onion (sometimes including the tears), with layer after layer of different encodings and structures. This first message parameter is URI encoded, then base64 encoded, so we decode these store what I’ll call the ‘raw’ SCEP in a file called scep_raw.

Leave a Comment