certificates: Problems issuing Chromebook certificates through SCEP provider

Subject of the issue

We are trying to implement step-ca as the certificate provider for client certifcates to Chromebook devices in our organization. Google Workspace uses SCEP protocol to request certificates. Here is some of Google’s documentation on this, they mostly refer to Windows ADCS as SCEP service: https://support.google.com/chrome/a/answer/11053129?hl=en&ref_topic=6330253 https://support.google.com/chrome/a/answer/11338941?hl=en

But there is no technical limitation from Google’s side on which CA service to use. I have built a test enviroment that can issue SCEP certficates and testing the basic issuing using the application “sscep”.

These parts are all working using the sscep client software, however when we test with a Chromebook we get the error: scep post request failed: pkcs7: Message digest mismatch

Your environment

OS - Windows Server 2016
Version - step-ca 0.18.2

Steps to reproduce

I’ve attached a Powershell script that i use to build the entire CA (and optionally install as a service using “shawl”). I’ve also attached a zip containing the exact executables i use for reference. TestEXE.zip WindowsCA.ps1.txt

But specifically these are used in addtion to step 0.18.2: Shawl - https://github.com/mtkennerly/shawl - Pre-compiled version 1.1.0 ( not needed if not installing as a service) SSCEP - https://github.com/certnanny/sscep - Self-compiled binary for Windows based on v0.10.0 OpenSSL - https://slproweb.com/products/Win32OpenSSL.html - using win64 v3.0.2

For testing with Google Workspace and Chromebook, we have set up a SCEP profile with these settings (omitted setting are blank/default):

Profile Name: SCEPTest
Subject name format:
- Common name: ${DEVICE_SERIAL_NUMBER}
SAN: None
SCEP Server URL: <hostname:port>/scep/scepca
Challenge type: Static
- <challenge password>
Certificate Authority: <Intermediate CA certificate>
Device plattforms: Chromebook

Obviously you need a Google Workspace and Chromebook to set this up. The Google Certificate Connection got installed using a local user on the server (because the installer required it), and then the service was changed to use “LocalService” through Windows Services.

Expected behaviour

Expected that the Chromebook would complete the certificate request. Request is passed to step-ca with Google Certificate Connector as a proxy relay (certificate request flow is decribed in Google’s documentation “Configure SCEP with ADCS for Chromebooks” as Appendix A). But short version is that Chromebook sends request to Google Workspace, then the Certificate Connector polls Workspace for any pending request. If request are pending they get pulled by the connector for signing and are pushed back to Workspace after signing is complete, afterwards Workspace push the certficate to the Chromebook.

Actual behaviour

Certificate request goes through, but final signing from step-ca seems to fail with error scep post request failed: pkcs7: Message digest mismatch.

Additional context

We managed to extract one of the failed requests. Since the request itelf only contains test-data there is no issue with sharing it here:

Of note a difference with the test performed via OpenSSL made request and the request from the Chromebook is this (after decoding the request via OpenSSL):

        Attributes:
            challengePassword        :secret1234
            1.2.840.113549.1.9.25.3  :unable to print attribute
            Requested Extensions:
                1.3.6.1.4.1.311.20.2:
                    ..

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 27 (16 by maintainers)

Most upvoted comments

I’ve just tested and it indeed works if the CA-keys are 1024 bit. So the issue seems to be payload size.

I also found out that the SCEP profile accepts localhost as SCEP server address (since the Google Certificate Collector and step-ca are running on the same server and I’m using http). This means I can share it here. So here are the payloads that actually works (this is taken from the logs of the certificate connector):

The initial pull of the request:
[com.google.mdm.certificate.agent.RequestSubscriber]: Received pull response {"receivedMessages":[{"ackId":"RFAGFixdRkhRNxkIaFEOT14jPzUgKEUSCAgUBXx9cF1JdV1Zc2hRDRlyfWB9alIbVQcXUncNURsHaE5tdR_viOrRS0NVbl8SAQVFUX9aXxkJblVZcC-U7pK-2cK9XUAvObzAoN1pe7mTycltZiM9XxJLLD5-KTdFQV5AEkwiAkRJUytDCypYEU4EISE-MD5FUw","message":{"attributes":{"pubsub.googleapis.com/typed-publisher/message-type/protobuf":"ccc.hosted.devicemanagement.proto.emm.certificate.enrollment.Request","pubsub.googleapis.com/typed-publisher/message-type/mime-type/":"application/x-protobuf"},"data":"CpgJCiRjNjIyODM1Ny1lYjllLTRlZDktYmU3ZS0yNTI5ZjJmMWQ1YzYSmAFDZ2xETURNM2EyTjVOeklTRlRFeE5UYzBNVGs0TWpZNE5EWTFORE00TWpJek1Sb2tZell5TWpnek5UY3RaV0k1WlMwMFpXUTVMV0psTjJVdE1qVXlPV1l5WmpGa05XTTJJQWNxSkdabU16UmlZbVkzTFRWaU1qRXROR1V5TlMxaE9XSTRMVFV5TWpoalpqYzVaVGxrTkVnQhqxB01JSUN0ekNDQVo4Q0FRQXdFekVSTUE4R0ExVUVBd3dJVkdWemRFTmxjblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNURTNSbW14NS9qbjExM3ZBSFVTbjl1ZlRGcFJzTC9BNmx0eEJRN0lpbU1Eam5TV0tIN3lyU08xLzNHVVBXK2VPdAorbVBMVVpIVDhWb0pIczJkWjdrK1VibFVkalkxSEdPdUIwMzNLVnJRUFFxc1J6TW1sbElzTnJEMUJ4d3l2ck5qb1lwcEtPdWJNTmhFCmxuU29XK2lkZHlIS3FPT3NkTFF1alVXckVNdlJuUHM1T3VVS0cxTmljU0lLRjJhSEY2UUUrZDFiT0E1d1NqZTVYK3hmTkxSNnNkTjYKV3YxTmFVQmdBUklXa0tQdmw0TW05ZDM0MlBFWGExZ1h4SnV0ZjRHUm9oWkh4bnd4VURMV3J5NTRkVTkwelpiV1FxaWUxbE9lbG5YZAp6S1llZG1TV1ZLOUp6UjNpdjNBYzg4cElUOW53Ry9nSHUxek9wSmVxNFZHSkFHRnhBZ01CQUFHZ1h6QVpCZ2txaGtpRzl3MEJDUWN4CkRCTUtjMlZqY21WME1USXpOREFnQmdrcWhraUc5dzBCQ1E0eEV6QVJNQThHQ1NzR0FRUUJnamNVQWdRQ0RBQXdJQVlLS29aSWh2Y04KQVFrWkF6RVNCQkJFdlNZZHJ6TzQ3cFNvRFhIV3FmdjRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUE5VFIwV3FscHVGb0ZHeXpkbQpGYllCNTJIK21RK1Q5YTBDTS84N2x5RHM5VUdodVZtUC9qc2h0YXUrQitvVUhTRFhYelo3SUxpVmRuaDBVNmlSS2g3RjdZMFdMVk9wCnRyTFNnRFFDaGpDcmNhYy9pQ2IrMXBpUDJieUxMYlNyUVZocjhxcVRnTXJTdUZzRkFGK1FsckdUQ2F4VVBHVkhLRkk3OTdFUG8zcUgKSmtRa3pBRU5mNit0T1h3RTI5N2JDZko3RjdBZEFmdUZVb3pwcTBLTkNwN2NuVUU3NU9kUDNkZmwwNzNpNVg0Y0MxOUx0YVIvMlFnZwp6ZURSMkZXRGRzS1g5RzA5WEJoM1dBVUw4cmFleHErb3VyMW9ZZGFQb2dpQVZrWkg5d0RMN3BjYkVDQjRkeDFXaW83UFNCYjhJcG5UCjBFZUdVV0Z5SUNJaHVKeEt3TmYyCiIhaHR0cDovL2xvY2FsaG9zdDo5MDAxL3NjZXAvc2NlcGNh","messageId":"4510702154246955","publishTime":"2022-05-03T07:32:27.782Z"}}]}

I think this is processing the request:
[com.google.mdm.certificate.agent.RequestReceiver]: Received pubsub payload: {"attributes":{"pubsub.googleapis.com/typed-publisher/message-type/protobuf":"ccc.hosted.devicemanagement.proto.emm.certificate.enrollment.Request","pubsub.googleapis.com/typed-publisher/message-type/mime-type/":"application/x-protobuf"},"data":"CpgJCiRjNjIyODM1Ny1lYjllLTRlZDktYmU3ZS0yNTI5ZjJmMWQ1YzYSmAFDZ2xETURNM2EyTjVOeklTRlRFeE5UYzBNVGs0TWpZNE5EWTFORE00TWpJek1Sb2tZell5TWpnek5UY3RaV0k1WlMwMFpXUTVMV0psTjJVdE1qVXlPV1l5WmpGa05XTTJJQWNxSkdabU16UmlZbVkzTFRWaU1qRXROR1V5TlMxaE9XSTRMVFV5TWpoalpqYzVaVGxrTkVnQhqxB01JSUN0ekNDQVo4Q0FRQXdFekVSTUE4R0ExVUVBd3dJVkdWemRFTmxjblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNURTNSbW14NS9qbjExM3ZBSFVTbjl1ZlRGcFJzTC9BNmx0eEJRN0lpbU1Eam5TV0tIN3lyU08xLzNHVVBXK2VPdAorbVBMVVpIVDhWb0pIczJkWjdrK1VibFVkalkxSEdPdUIwMzNLVnJRUFFxc1J6TW1sbElzTnJEMUJ4d3l2ck5qb1lwcEtPdWJNTmhFCmxuU29XK2lkZHlIS3FPT3NkTFF1alVXckVNdlJuUHM1T3VVS0cxTmljU0lLRjJhSEY2UUUrZDFiT0E1d1NqZTVYK3hmTkxSNnNkTjYKV3YxTmFVQmdBUklXa0tQdmw0TW05ZDM0MlBFWGExZ1h4SnV0ZjRHUm9oWkh4bnd4VURMV3J5NTRkVTkwelpiV1FxaWUxbE9lbG5YZAp6S1llZG1TV1ZLOUp6UjNpdjNBYzg4cElUOW53Ry9nSHUxek9wSmVxNFZHSkFHRnhBZ01CQUFHZ1h6QVpCZ2txaGtpRzl3MEJDUWN4CkRCTUtjMlZqY21WME1USXpOREFnQmdrcWhraUc5dzBCQ1E0eEV6QVJNQThHQ1NzR0FRUUJnamNVQWdRQ0RBQXdJQVlLS29aSWh2Y04KQVFrWkF6RVNCQkJFdlNZZHJ6TzQ3cFNvRFhIV3FmdjRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUE5VFIwV3FscHVGb0ZHeXpkbQpGYllCNTJIK21RK1Q5YTBDTS84N2x5RHM5VUdodVZtUC9qc2h0YXUrQitvVUhTRFhYelo3SUxpVmRuaDBVNmlSS2g3RjdZMFdMVk9wCnRyTFNnRFFDaGpDcmNhYy9pQ2IrMXBpUDJieUxMYlNyUVZocjhxcVRnTXJTdUZzRkFGK1FsckdUQ2F4VVBHVkhLRkk3OTdFUG8zcUgKSmtRa3pBRU5mNit0T1h3RTI5N2JDZko3RjdBZEFmdUZVb3pwcTBLTkNwN2NuVUU3NU9kUDNkZmwwNzNpNVg0Y0MxOUx0YVIvMlFnZwp6ZURSMkZXRGRzS1g5RzA5WEJoM1dBVUw4cmFleHErb3VyMW9ZZGFQb2dpQVZrWkg5d0RMN3BjYkVDQjRkeDFXaW83UFNCYjhJcG5UCjBFZUdVV0Z5SUNJaHVKeEt3TmYyCiIhaHR0cDovL2xvY2FsaG9zdDo5MDAxL3NjZXAvc2NlcGNh","messageId":"4510702154246955","publishTime":"2022-05-03T07:32:27.782Z"}

The signed certificate:
[com.google.mdm.certificate.agent.EnrollDeviceRequestHandler]: Received certificate -----BEGIN CERTIFICATE-----MIIC2jCCAkOgAwIBAgIQKAXWevhCAML/QvIrxTgfGjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDExRUZXN0UEtJIEludGVybWVkaWF0ZTAeFw0yMjA1MDMwNzMxMzBaFw0yMjEwMzAwNzMyMzBaMBMxETAPBgNVBAMTCFRlc3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkxN0Zpsef459dd7wB1Ep/bn0xaUbC/wOpbcQUOyIpjA450lih+8q0jtf9xlD1vnjrfpjy1GR0/FaCR7NnWe5PlG5VHY2NRxjrgdN9yla0D0KrEczJpZSLDaw9QccMr6zY6GKaSjrmzDYRJZ0qFvonXchyqjjrHS0Lo1FqxDL0Zz7OTrlChtTYnEiChdmhxekBPndWzgOcEo3uV/sXzS0erHTelr9TWlAYAESFpCj75eDJvXd+NjxF2tYF8SbrX+BkaIWR8Z8MVAy1q8ueHVPdM2W1kKontZTnpZ13cymHnZkllSvSc0d4r9wHPPKSE/Z8Bv4B7tczqSXquFRiQBhcQIDAQABo4GeMIGbMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQULgtccAZNQekvyc0+EGvbqMxVVkAwHwYDVR0jBBgwFoAUFBm/q3TZuLjm11u8vxT/PFq7h0QwEwYDVR0RBAwwCoIIVGVzdENlcnQwHwYMKwYBBAGCpGTGKEABBA8wDQIBCgQGc2NlcGNhBAAwDQYJKoZIhvcNAQELBQADgYEAGv5GHWRg7qu7CEr3kAWgEh1V/ktSCl23KYIQt4nHQcv1EtLrMQhNAbaAYIRcotnPWyRju4xmsO0H+3zpbOmBIeHmwME8pfviXuTI0FLe73iPjFg8v9EK62sd3J7F6N0Kf6JxU4HTWywA1tnjm82WzbvhbrfaPLxzNrYi5PcqaGA=-----END CERTIFICATE----- for device ID c6228357-eb9e-4ed9-be7e-2529f2f1d5c6

So this is for the successfull request using 1024bit CA-keys.

This is a failed request using 2048bit CA-keys.

[com.google.mdm.certificate.agent.RequestSubscriber]: Received pull response {"receivedMessages":[{"ackId":"RVNEUAYWLF1GSFE3GQhoUQ5PXiM_NSAoRRIICBQFfH1xXlh1W1oaB1ENGXJ8aXViUkYIBkxSeFVbEQ16bVxtrt7-ukRfQXFvWxMJAkdTeltcGAtqWlldwrKG1dbeqUJwYSuojbbwSH_vkcc8ZiA9XxJLLD5-KTdFQV5AEkwiAkRJUytDCypYEU4EISE-MD4","message":{"attributes":{"pubsub.googleapis.com/typed-publisher/message-type/protobuf":"ccc.hosted.devicemanagement.proto.emm.certificate.enrollment.Request","pubsub.googleapis.com/typed-publisher/message-type/mime-type/":"application/x-protobuf"},"data":"CpgJCiRjNjIyODM1Ny1lYjllLTRlZDktYmU3ZS0yNTI5ZjJmMWQ1YzYSmAFDZ2xETURNM2EyTjVOeklTRlRFeE5UYzBNVGs0TWpZNE5EWTFORE00TWpJek1Sb2tZell5TWpnek5UY3RaV0k1WlMwMFpXUTVMV0psTjJVdE1qVXlPV1l5WmpGa05XTTJJQWNxSkRKbVl6QTNaRFExTFRrNU56UXRORGd4TWkwNE1UUmhMV0kwTmpSbFpERXhOamhqT0VnQhqxB01JSUN0ekNDQVo4Q0FRQXdFekVSTUE4R0ExVUVBd3dJVkdWemRFTmxjblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNibDc3c1VkaTA5aUFCalo1NTF0WG9STlZ0RjZPWTN5cDlmN1o4NVdpYWc1TmIxQzcrK1k5UXlCdE05WUJkZHFvZQoxMllWU3hSMzdMRlFtMTgvcnRESEdINEM4WVloS1EwODJQa3JGc1VRbW1DZnFpN1hZSDJTVGZMKzVJSmowNWlnNkcvbjErL1N1OUswCnIvckNXQk94Ujl3VG5kSU91RzJ5bTV0SHhZSnFuUHdwdWFqL0lHWDJCREF1UGVnbHRvd3Azbk5BYzdqSGMzL0kxblhxdW1TL2FBUnIKZ2hVS2ppcEw0STJ6Z2YrbVVydmJQZjBYTnVIRWdIZjk0QWtvbjZURUdSL1lhSTd3eC9UNlBGY1BuNDdTZkNrcUY1VFBPYmg4Mk1oeApxc1h2cTNDT2V4a2dhWHZERkw5QS93cUVkTzZRc1VOMHJsMUFhNmluWHhIM2MvT1ZBZ01CQUFHZ1h6QVpCZ2txaGtpRzl3MEJDUWN4CkRCTUtjMlZqY21WME1USXpOREFnQmdrcWhraUc5dzBCQ1E0eEV6QVJNQThHQ1NzR0FRUUJnamNVQWdRQ0RBQXdJQVlLS29aSWh2Y04KQVFrWkF6RVNCQkJTN3J4cnlhSmJOa0cxQldLSjBGYmVNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFmbjg3OEtCQ2luT1pMTjdyYQpEVTdPNjNGUzVYVG5zOEp2a3gwQmk3YTFTY3lINzA4NHU2S054b1BSajlpcnZrTC9PV0liNU9MNDR2NURCenlHa25XdlkxdnUwSjJPCkphRkdINThPaFFtd1l6eVd5UGppQVBwSDZMa1A2RFB1dmFuWllqNDByYUhmbUlRZGFVcFdTY0UxNUFtOXlnbzg5N2FDNW9EeU5QRUMKQkdORUR5aDI2WkFMUGZubENsaWVzS1IvN2JBQ0tpNzJDQUE4dVpjK0RDVkRpZjQ0ejZOcVF3MmUrNUtFbDV6b2lWc0pienYxWWNnYwozazJyN1hGTHZaZXdpZFJ5L0F5QjVCZDNGdnpQSWkwbWNUWC9jN3VTSmc1clBFaGRSN0l4R2Vld3AzY2EvUHgwRkgzTEV5elNrNWNMCjVQR0JjQWhzWWdGdkpJMkNQdFc3CiIhaHR0cDovL2xvY2FsaG9zdDo5MDAxL3NjZXAvc2NlcGNh","messageId":"4510802044736265","publishTime":"2022-05-03T07:53:51.754Z"}}]}

[com.google.mdm.certificate.agent.RequestReceiver]: Received pubsub payload: {"attributes":{"pubsub.googleapis.com/typed-publisher/message-type/protobuf":"ccc.hosted.devicemanagement.proto.emm.certificate.enrollment.Request","pubsub.googleapis.com/typed-publisher/message-type/mime-type/":"application/x-protobuf"},"data":"CpgJCiRjNjIyODM1Ny1lYjllLTRlZDktYmU3ZS0yNTI5ZjJmMWQ1YzYSmAFDZ2xETURNM2EyTjVOeklTRlRFeE5UYzBNVGs0TWpZNE5EWTFORE00TWpJek1Sb2tZell5TWpnek5UY3RaV0k1WlMwMFpXUTVMV0psTjJVdE1qVXlPV1l5WmpGa05XTTJJQWNxSkRKbVl6QTNaRFExTFRrNU56UXRORGd4TWkwNE1UUmhMV0kwTmpSbFpERXhOamhqT0VnQhqxB01JSUN0ekNDQVo4Q0FRQXdFekVSTUE4R0ExVUVBd3dJVkdWemRFTmxjblF3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXcKZ2dFS0FvSUJBUUNibDc3c1VkaTA5aUFCalo1NTF0WG9STlZ0RjZPWTN5cDlmN1o4NVdpYWc1TmIxQzcrK1k5UXlCdE05WUJkZHFvZQoxMllWU3hSMzdMRlFtMTgvcnRESEdINEM4WVloS1EwODJQa3JGc1VRbW1DZnFpN1hZSDJTVGZMKzVJSmowNWlnNkcvbjErL1N1OUswCnIvckNXQk94Ujl3VG5kSU91RzJ5bTV0SHhZSnFuUHdwdWFqL0lHWDJCREF1UGVnbHRvd3Azbk5BYzdqSGMzL0kxblhxdW1TL2FBUnIKZ2hVS2ppcEw0STJ6Z2YrbVVydmJQZjBYTnVIRWdIZjk0QWtvbjZURUdSL1lhSTd3eC9UNlBGY1BuNDdTZkNrcUY1VFBPYmg4Mk1oeApxc1h2cTNDT2V4a2dhWHZERkw5QS93cUVkTzZRc1VOMHJsMUFhNmluWHhIM2MvT1ZBZ01CQUFHZ1h6QVpCZ2txaGtpRzl3MEJDUWN4CkRCTUtjMlZqY21WME1USXpOREFnQmdrcWhraUc5dzBCQ1E0eEV6QVJNQThHQ1NzR0FRUUJnamNVQWdRQ0RBQXdJQVlLS29aSWh2Y04KQVFrWkF6RVNCQkJTN3J4cnlhSmJOa0cxQldLSjBGYmVNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFmbjg3OEtCQ2luT1pMTjdyYQpEVTdPNjNGUzVYVG5zOEp2a3gwQmk3YTFTY3lINzA4NHU2S054b1BSajlpcnZrTC9PV0liNU9MNDR2NURCenlHa25XdlkxdnUwSjJPCkphRkdINThPaFFtd1l6eVd5UGppQVBwSDZMa1A2RFB1dmFuWllqNDByYUhmbUlRZGFVcFdTY0UxNUFtOXlnbzg5N2FDNW9EeU5QRUMKQkdORUR5aDI2WkFMUGZubENsaWVzS1IvN2JBQ0tpNzJDQUE4dVpjK0RDVkRpZjQ0ejZOcVF3MmUrNUtFbDV6b2lWc0pienYxWWNnYwozazJyN1hGTHZaZXdpZFJ5L0F5QjVCZDNGdnpQSWkwbWNUWC9jN3VTSmc1clBFaGRSN0l4R2Vld3AzY2EvUHgwRkgzTEV5elNrNWNMCjVQR0JjQWhzWWdGdkpJMkNQdFc3CiIhaHR0cDovL2xvY2FsaG9zdDo5MDAxL3NjZXAvc2NlcGNh","messageId":"4510802044736265","publishTime":"2022-05-03T07:53:51.754Z"}

The returned error from step-ca to the certificate connector.

[com.google.mdm.certificate.agent.EnrollDeviceRequestHandler]: Unable to read from PEM string: org.jscep.transaction.TransactionException: org.jscep.transport.TransportException: 500 Internal Server Error
	at org.jscep.transaction.Transaction.send(Unknown Source)
	at org.jscep.transaction.EnrollmentTransaction.send(Unknown Source)
	at org.jscep.client.Client.send(Unknown Source)
	at org.jscep.client.Client.enrol(Unknown Source)
	at org.jscep.client.Client.<unknown>(Unknown Source)
	at com.google.mdm.certificate.agent.EnrollDeviceRequestHandler.execute(Unknown Source)
	at com.google.mdm.certificate.agent.RequestReceiver.receiveMessage(Unknown Source)
	at com.google.mdm.certificate.agent.RequestSubscriber.pull(Unknown Source)
	at com.google.mdm.certificate.agent.RequestSubscriber.<unknown>(Unknown Source)
	at com.google.mdm.certificate.agent.RequestSubscriber$$Lambda$25.run(Unknown Source)
	at com.google.common.util.concurrent.MoreExecutors$ScheduledListeningDecorator$NeverSuccessfulListenableFutureTask.run(Unknown Source)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)
Caused by: org.jscep.transport.TransportException: 500 Internal Server Error
	at org.jscep.transport.UrlConnectionPostTransport.sendRequest(Unknown Source)
	... 18 more

This is the log line from step-ca: time="2022-05-03T09:54:02+02:00" level=error duration=0s duration-ns=0 error="scep post request failed: pkcs7: Message digest mismatch\n\tExpected: BCD6C3FA9F996EAE7F05D64690914FEE8452FF391341F65378385A10C78126AC\n\tActual : 5A607D497FED984E2BCDCFF7CCE3EBE695DB28EC41E64A5152A7B0513354CF33" fields.time="2022-05-03T09:54:02+02:00" method=POST name=ca path="/scep/scepca?operation=PKIOperation" protocol=HTTP/1.1 referer= remote-address=127.0.0.1 request-id=c9odv6k20edg954d0ll0 size=227 status=500 user-agent=Java/1.8.0_181 user-id=

JMyklebust on May 3, 2022