Error: "Failed to unwrap inner PKCS7" when doing SCEP requests


SCEP requests to Venafi are failing. The Default SQL Channel logs show following:

Network Device Enrollment - Failed to parse CSR Failed to extract the subject from the received CSR
Network Device Enrollment - Failed to unwrap inner PKCS7 Failed to properly decode the inner PKCS#7 envelope in the received SCEP data



Typically this is caused by the payload sent to Venafi SCEP being encrypted to the wrong certificate. We can view the certificate used for encryption as follows:

1. Extract the payload from IIS logs
2. Use following Powershell script to decode the URL formatted payload

[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
$encode = 'MIAGCSq...AAAA'
$b64 = [System.Web.HttpUtility]::UrlDecode($Encode)
$filename = 'C:\temp\filetolookat.p7b'
$bytes = [Convert]::FromBase64String($b64)
[IO.File]::WriteAllBytes($filename, $bytes)

3. View the file with certutil command:

certutil.exe -dump $filename

4. Find the "Recipient Info" section:

Recipient Info[0]:
Serial Number: 187fdfgg2
Issuer: CN=Venafi Root CA

5. Compare the Serial Number of the certificate used to encrypt the payload to what is configured in Venafi SCEP settings



If the serial number does not match the configured RA Certificate in Venafi settings please check settings on the system sending the SCEP request.


More info:

Example on how to configure Venafi SCEP:

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request