SCEP requests to Venafi are failing. The Default SQL Channel logs show following:
|Network Device Enrollment - Failed to parse CSR||Failed to extract the subject from the received CSR|
|Network Device Enrollment - Failed to unwrap inner PKCS7||Failed to properly decode the inner PKCS#7 envelope in the received SCEP data|
Typically this is caused by the payload sent to Venafi SCEP being encrypted to the wrong certificate. We can view the certificate used for encryption as follows:
1. Extract the payload from IIS logs
2. Use following Powershell script to decode the URL formatted payload
[Reflection.Assembly]::LoadWithPartialName("System.Web") | Out-Null
$encode = 'MIAGCSq...AAAA'
$b64 = [System.Web.HttpUtility]::UrlDecode($Encode)
$filename = 'C:\temp\filetolookat.p7b'
$bytes = [Convert]::FromBase64String($b64)
3. View the file with certutil command:
certutil.exe -dump $filename
4. Find the "Recipient Info" section:
Serial Number: 187fdfgg2
Issuer: CN=Venafi Root CA
5. Compare the Serial Number of the certificate used to encrypt the payload to what is configured in Venafi SCEP settings
If the serial number does not match the configured RA Certificate in Venafi settings please check settings on the system sending the SCEP request.
Example on how to configure Venafi SCEP: