Hi Alexander,
Thanks a lot for the info and confirmation, that sounds reassuring
J
We’re thinking to keep FlatfileAuth as a Plan B option.
But at the moment I think the best would be the “Cert Based Auth”…
So I’d like to narrow down my questions raised earlier, and would really appreciate your input.
This is an extract from the SCEP specification –
In this protocol, the communication between the requester and the certificate authority is secured by using PKCS#7 [RFC2315] as
the messaging protocol (see
Section 4). PKCS#7
RFC2315], however, is a data format which assumes the communicating entities already possess the peer's certificates and requires both parties use the issuer names and issuer assigned certificate serial numbers to identify the certificate in order to verify
the signature and decrypt the message.
·
If the requesting system already has a certificate issued by the CA, that certificate SHOULD be presented as credentials for the renewal of that certificate if the CA supports the "Renewal" capability and the CA policy permits
the certificate to be renewed.
·
If the requesting system has no certificate issued by the CA, but has
credentials from a different CA, that certificate MAY be presented as credentials instead of a self-signed certificate.
Policy settings on the SCEP server will determine if the request can be accepted or not.
·
If the requester does not have an appropriate existing certificate, then a self signed certificate must be used instead.
The self signed certificate MUST use the same subjectName as in the pkcs10 Request.
One of those certificates should be used to sign the overall PKCS#7 envelope sent by clients in “PKCSReq” message to the CA. My hunch is that iOS devices use
identity certificates issued by Apple for signing SCEP messages (i.e. PKCS#7).
Could anyone confirm that the second and third bullet points (i.e. credentials from a different CA & self signed certificate) are supported in Dogtag?
If yes, could you also clarify one more thing please?
·
Does the CA compare the CN in the signing cert with the CN in the PKCS#10 ?
With thanks,
Oleg
From: Alexander Jung [mailto:alexander.w.jung@gmail.com]
Sent: 21 August 2013 20:32
To: Oleg Antonenko
Cc: Andrew Wnuk; pki-users@redhat.com
Subject: Re: [Pki-users] Using SCEP
Hi,
we gathered some experience using
scep and dogtag. To be a little more precise we are
issuing certs to
cisco routers by the thousands (the whole sales force needs these...)
The current implementation works, but leaves still some space for improvement :-)
Your client initially needs a password that must be known to the ca in the flatfileauth-file used for your scep profile. The CA has a simple (more example) application to request such a password, we tied it to our order system to further
authenticate those requests.
When your CA certificate (or the certificate you are using for scep) sits in a HSM, you'll need quite an extension for the existing code, as the current code will not be able to decrypt the requests (in this case due to ciscos error - but
we have to serve our clients...)
The flatfileauth module still has a longstanding bug (from the iplanet days of the dogtag code), that prevents it to work with other tag-names than the default ones, easy to fix, but hair tearing when you debug it. (See https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html for
details)
The cisco client still complains on some operations not being implemented, but works after those modifications
Yours,
Alexander