Follow

Error: "Failed to unwrap inner PKCS7" when doing SCEP requests

Symptom:

SCEP requests to Venafi are failing. The Default SQL Channel logs show following:

Network Device Enrollment - Failed to parse CSR Failed to extract the subject from the received CSR
Network Device Enrollment - Failed to unwrap inner PKCS7 Failed to properly decode the inner PKCS#7 envelope in the received SCEP data

 

Cause:

Typically this is caused by the payload sent to Venafi SCEP being encrypted to the wrong certificate. We can view the certificate used for encryption as follows:

1. Extract the payload from IIS logs
2. Use following Powershell script to decode the URL formatted payload

[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
$encode = 'MIAGCSq...AAAA'
$b64 = [System.Web.HttpUtility]::UrlDecode($Encode)
$filename = 'C:\temp\filetolookat.p7b'
$bytes = [Convert]::FromBase64String($b64)
[IO.File]::WriteAllBytes($filename, $bytes)

3. View the file with certutil command:

certutil.exe -dump $filename

4. Find the "Recipient Info" section:

Recipient Info[0]:
CMSG_KEY_TRANS_RECIPIENT(1)
CERT_ID_ISSUER_SERIAL_NUMBER(1)
Serial Number: 187fdfgg2
Issuer: CN=Venafi Root CA

5. Compare the Serial Number of the certificate used to encrypt the payload to what is configured in Venafi SCEP settings

 

 Resolution:

If the serial number does not match the configured RA Certificate in Venafi settings please check settings on the system sending the SCEP request.

 

More info:

Example on how to configure Venafi SCEP:

https://support.venafi.com/hc/en-us/articles/215914547

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk