On 08/21/2013 12:32 PM, Alexander Jung wrote:
Hi,

we gathered some experience using scep and dogtag. To be a little more precise we are issuing certs to cisco routers by the thousands (the whole sales force needs these...)

The current implementation works, but leaves still some space for improvement :-)

Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scep profile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further authenticate those requests.

When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscos error - but we have to serve our clients...)

The flatfileauth module still has a longstanding bug (from the iplanet days of the dogtag code), that prevents it to work with other tag-names than the default ones, easy to fix, but hair tearing when you debug it. (See https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html for details)

The cisco client still complains on some operations not being implemented, but works after those modifications

Yours,

Alexander

Hi Alexander,

Thank you for detailed description. Could you open tickets or bugs describing above issues? This would really help us to clean them.

Thanks,
Andrew