10:15 p.m.
We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
a possible solution.
Our problem is that we need to be able to automatically deploy
certificates to thousands of embedded Linux devices, each
equipped with a common initial shared-secret or cert. Each needs
to be able to enroll, recover an initial individual cert based
on the system's serial number, and renew the cert... all over
a dial-up connection.
SSCEP seems to be falling out of the solution based on the
requirement for one-time PINs and manual approval of the requests.
Although the web interface works beautifully, we can't seem
to get SSCEP working.
We've looked at the CMCEnroll tool, but that requires Java which
is not part of the embedded software. This is an embedded flash
rom based system that does not have the memory available. Any
suggestions? I'd hate to have to cave-in to those that want a
Microsoft solution.
Craig Zeller
<czeller(a)sjm.com>
This communication, including any attachments, may contain information that is
proprietary, privileged, confidential or legally exempt from disclosure. If you are not a
named addressee, you are hereby notified that you are not authorized to read, print,
retain a copy of or disseminate any portion of this communication without the consent of
the sender and that doing so may be unlawful. If you have received this communication in
error, please immediately notify the sender via return e-mail and delete it from your
system.
10:26 p.m.
Craig Zeller - SysAdmin wrote:
We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
a possible solution.
Our problem is that we need to be able to automatically deploy
certificates to thousands of embedded Linux devices, each
equipped with a common initial shared-secret or cert. Each needs
to be able to enroll, recover an initial individual cert based
on the system's serial number, and renew the cert... all over
a dial-up connection.
SSCEP seems to be falling out of the solution based on the
requirement for one-time PINs and manual approval of the requests.
Although the web interface works beautifully, we can't seem
to get SSCEP working.
We've looked at the CMCEnroll tool, but that requires Java which
is not part of the embedded software. This is an embedded flash
rom based system that does not have the memory available. Any
suggestions? I'd hate to have to cave-in to those that want a
Microsoft solution.
Craig Zeller
<czeller(a)sjm.com>
This communication, including any attachments, may contain information that is
proprietary, privileged, confidential or legally exempt from disclosure. If you are not a
named addressee, you are hereby notified that you are not authorized to read, print,
retain a copy of or disseminate any portion of this communication without the consent of
the sender and that doing so may be unlawful. If you have received this communication in
error, please immediately notify the sender via return e-mail and delete it from your
system.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
Hi,
Will that help as a client?
https://fedorahosted.org/certmonger/
It will work with IPA v2 which in turn will embed CA&RA and would not
require manual approval.
Community release of IPA v2 has now shifted to the beginning of next year.
You can read about IPA on www.freeIPA.org.
If it does not come up please try again a day later. There are some DNS
issues being sorted out. The site just moved from one place into another
and is not fully back online but we expect it to get online any day.
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
10:43 p.m.
Have you considered using a proxy between your embedded devices
and the PKI? With such a scheme you can pretty much do anything
you want and shield the devices and the PKI from changes to their
respective interfaces.
A solution such as this (that we deployed last year) works well
for a bio-tech firm that is embedding digital certificates into
"throw-away" consumables with embedded processors. The proxy
machine is a PC with custom a application responsible for
provisioning certificates to the embedded devices (based on
serial number, lot #, etc.), and bridges the devices to the PKI.
Arshad Noor
StrongAuth, Inc.
Craig Zeller - SysAdmin wrote:
We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
a possible solution.
Our problem is that we need to be able to automatically deploy
certificates to thousands of embedded Linux devices, each
equipped with a common initial shared-secret or cert. Each needs
to be able to enroll, recover an initial individual cert based
on the system's serial number, and renew the cert... all over
a dial-up connection.
SSCEP seems to be falling out of the solution based on the
requirement for one-time PINs and manual approval of the requests.
Although the web interface works beautifully, we can't seem
to get SSCEP working.
We've looked at the CMCEnroll tool, but that requires Java which
is not part of the embedded software. This is an embedded flash
rom based system that does not have the memory available. Any
suggestions? I'd hate to have to cave-in to those that want a
Microsoft solution.
Craig Zeller
<czeller(a)sjm.com>
This communication, including any attachments, may contain information that is
proprietary, privileged, confidential or legally exempt from disclosure. If you are not a
named addressee, you are hereby notified that you are not authorized to read, print,
retain a copy of or disseminate any portion of this communication without the consent of
the sender and that doing so may be unlawful. If you have received this communication in
error, please immediately notify the sender via return e-mail and delete it from your
system.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
10:59 p.m.
Craig Zeller - SysAdmin wrote:
We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
a possible solution.
Our problem is that we need to be able to automatically deploy
certificates to thousands of embedded Linux devices, each
equipped with a common initial shared-secret or cert. Each needs
to be able to enroll, recover an initial individual cert based
on the system's serial number, and renew the cert... all over
a dial-up connection.
For initial enrollment, have you tried the bulkissuance tool? You get
the cert auto-approved and returned immediately, provided you have the
authorized agent cert to sign:
http://www.redhat.com/docs/manuals/cert-system/8.0/cli/html/Bulk_Issuance...
You could use certutil to generate csrs.
for renewal, there are different ways, but the easiest way for you is to
re-submit the same request (assuming you saved it).
SSCEP seems to be falling out of the solution based on the
requirement for one-time PINs and manual approval of the requests.
Although the web interface works beautifully, we can't seem
to get SSCEP working.
We've looked at the CMCEnroll tool, but that requires Java which
is not part of the embedded software. This is an embedded flash
rom based system that does not have the memory available. Any
suggestions? I'd hate to have to cave-in to those that want a
Microsoft solution.
Craig Zeller
<czeller(a)sjm.com>
This communication, including any attachments, may contain information that is
proprietary, privileged, confidential or legally exempt from disclosure. If you are not a
named addressee, you are hereby notified that you are not authorized to read, print,
retain a copy of or disseminate any portion of this communication without the consent of
the sender and that doing so may be unlawful. If you have received this communication in
error, please immediately notify the sender via return e-mail and delete it from your
system.
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5483
days inactive
5483
days old
3 comments
4 participants
participants (4)
-
Arshad Noor -
Christina Fu -
Craig Zeller - SysAdmin -
Dmitri Pal