Re: [Pki-users] Using SCEP

Hi, we gathered some experience using scepand dogtag. To be a little more precise we are issuingcerts to ciscorouters by the thousands (the whole salesforceneeds these...) The current implementation works, but leaves still some space for improvement :-) Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scepprofile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further authenticate those requests. When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscoserror - but we have to serve our clients...) The flatfileauthmodule still has a longstanding bug (from the iplanetdays of the dogtagcode), that prevents it to work with other tag-names than the default ones, easy to fix, but hair tearing when you debug it. (See https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html <https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html> for details) The ciscoclient still complains on some operations not being implemented, but works after those modifications Yours, Alexander