Hi Andrew,
Thanks a mil for so speedy response and references.
Reading the Automated Enrolment guide I had a thought that Cert Based Auth might work for
us.
Here is a line from the guide -
"There are other circumstances when it may be useful to use certificate-based
authentication for initially requesting a certificate. For example, tokens may be
bulk-loaded with generic certificates which are then used to authenticate the users when
they enroll for their user certificates..."
Do you know if a single generic (or transport) cert could be used for signing SCEP
requests for multiple users?
If so, I presume we will need both - a transport private key and transport cert for
signing requests?
Thanks,
Oleg
-----Original Message-----
From: pki-users-bounces(a)redhat.com [mailto:pki-users-bounces@redhat.com] On Behalf Of
Andrew Wnuk
Sent: 20 August 2013 18:15
To: pki-users(a)redhat.com
Subject: Re: [Pki-users] Using SCEP
SCEP is disabled by default in CA, so you need to enable SCEP first:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication
plug-in:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_Sy...
If you want to use SCEP with RA authentication, you need to follow RA's UI to create
one time pins for SCEP requests. RA is using SQLite as its repository so no need to create
directory entries.
I would advise you to use SCEP with CA only as more improvements were provided in this
area.
Thanks,
Andrew
On 08/20/2013 07:10 AM, Oleg Antonenko wrote:
Hi!
I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP.
But before plunging into full blown installation and tests I'd like to understand
overall SCEP cert enrolment workflow supported by Dogtag.
>From the documentation on the web site I've figured out that it is possible to
send SCEP requests either to RA or directly to CA.
As I understood in RA mode a user record with one-time PIN/Challenge has to be created in
the 389 Directory first, and then a cert can be requested via SCEP.
Is that correct?
I did not get an impression that I have to do same when sending SCEP requests directly to
CA.
Does anyone know if I have to create a user record in the 389 DS before sending a SCEP
request to CA directly?
Thanks in advance,
Oleg
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users