EJBCA 6.2.0 MobileIron SCEP Failure

  • rjc8540

    rjc8540 - 2014-08-04

    Hi, I am running a new installation of EJBCA, trying to get MobileIron MDM to request a test cert via SCEP. The documentation says that this is supported but I'm running into failures after trying multiple variations of the request. It seems that the error is pointing to BouncyCastle.

    I am running EJBCA behind apache via AJP:8009

    ERROR [org.ejbca.core.protocol.scep.ScepRequestMessage] (ajp-- Error in PKCS7:: org.bouncycastle.cms.CMSException: exception unwrapping key: bad padding: unknown block type

    Has anyone been able to implement a successful setup with MobileIron on EJBCA 6.2.0?

    It's working using Apple IOS/MAC OSx SCEP...
    This instance of MobileIron SCEP is also working when requesting from a Microsoft 2012 CA.


  • Stefan Selbitschka

    Hi, I successfully tested MobileIron with EJBCA if you are using CA mode in EJBCA. If I use RA mode I encounter the same issue as you.

    I guess this is a problem of EJBCA since in RA mode the try to find the correct CA to decrypt the message using the IssuerDN of the PKCS7 request. But if you have a not selfsinged CA to issue the SCEP certificate the issuer dn in the request leeds to the root and not to the CA certificate. Now EJBCA is trying to decrypt the SCEP request with the root key and not with the subca key, which leads to that error.

    I will open a bug report for that.



Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks