On 02/27/2013 10:56 PM, Elliott William C OSS sIT wrote:
We currently use SCEP for Cisco Routers with a RedHat CS.
However as far as we can tell, "CA Key Rollover" is not implemented.
Furthermore, we can't find any indication that it's implemented in in Dogtag 9 or
Could anyone confirm this?
Does anyone work around this problem?
As far as we can see, few or no CA SW supports this, aside from the IOS CA from Cisco.
The SCEP RFC says that the other two PKIX standards for certificate management are
superior to SCEP, which has deficiencies, and is quasi-deprecated. Therefore my
assumption is, that no one (other than cisco) plans to invest any effort in expanding SCEP
support in Dogtag or any other opensource CA software.
We are actually planning on
going through our existing SCEP
functionality to see what else from the Internet Draft should be
implemented in Dogtag 10.1. In addition, we have a few smaller tickets
related to SCEP in our Trac instance that we plan to look at (details at
We are not sure that we will be targeting "CA Key Rollover" specifically
any time soon, as we want to see if there are more common SCEP use cases
that should be targeted first. Is it specifically "CA Key Rollover" you
are interested in using, or is there anything else from the SCEP
Internet Draft that you have a use case for as well?
Pki-users mailing list