Also not able to Enroll with NDES, failure reason: Integrity check failed, illegal size of payload

[xl-gtf]

Hi there,
I am facing a similar error as #80, but when I pass it the certificates as suggested, using both -c and -e, I still get the error.
./sscep enroll -c ca.crt-0 -l cert.pem -k key.pem -r local.csr.txt -e ca.crt-1 -u http://[Server]/certsrv/mscep/mscep.dll -v -d
yields:
/sscep: finding attribute pkiStatus
./sscep: allocating 1 bytes for attribute
./sscep: pkistatus: FAILURE
./sscep: finding attribute failInfo
./sscep: allocating 1 bytes for attribute
./sscep: reason: Integrity check failed
./sscep: illegal size of payload

I have tried rearranging the 3 certificates around as parameters.
ca.crt-0 can also be used for -e parameter,
but if I replace or swap anything apart from that, error is reached before, so the certificates are arranges as best they can be.

It would seem, this is correct:
ca.crt-0 Certificate for signing
ca.crt-1 Certificate for encryption
ca.crt-2 Certficate of CA that signed the NDES-Certificates

Can you help me to a solution or more debugging information?

Regards, Chr

[Sleepw4lker]

Have a look at this: https://www.gradenegger.eu/?p=10098 (you might need to translate it).
Common failures i stumbled across are...

• Wrong or already-used Challenge password (triggers Event 29 on the NDES server)
• Challenge password is wrongly encoded (also triggers Event 29 on the NDES server). NDES expects the password to be encoded in PrintableString, OpenSSL defaults to UTF8 though... set string_mask = nombstr in your request config file under the [req] section)
• key size too small (triggers Event 31 on the NDES server)