[Pki-users] Using SCEP

Andrew Wnuk awnuk at redhat.com
Mon Aug 26 20:04:47 UTC 2013 

On 08/21/2013 01:41 AM, Oleg Antonenko wrote:
> Hi Andrew,
> Yes, the story is quite simple.
> We have to issue certificates to Apple iOS and Android devices via SCEP.
>
> For iOS this process - in theory - should be natively supported by iOS, so that would be our first evaluation test.
> For Android we will have to develop a client application which can talk SCEP.
> So once we succeed with iOS devices we'd start developing for Android.
>
> My confusion is probably coming from not fully understanding the CA workflow for issuing certs via SCEP requests.
>
> In the SCEP specification they say that a PKCS#10 request shall be signed by either -
>    - a self-signed cert generated by the requestor itself, or
>    - a cert originally issued by the CA for the requestor - e.g. for reissuance
> Then the pkcs#10 is wrapped in PKCS#7 envelope signed by the CA public key.
>
> So I need to understand how CA would process SCEP requests -
>   - Does it support PKCS#10 req signed by a self-signed cert generated by the requestor?
>   - Does it support PKCS#10 req signed by a cert issued by the CA but not for the requestor exclusively - e.g. a single generic cert issued to e.g. "CN=Device Enrolment, O=Company X" ?
>   - Any alternatives?
I hope that any of the above options would work as long as the request 
signature can be validated.
>
> Thanks a mil,
> Oleg
>
>    
>
> -----Original Message-----
> From: Andrew Wnuk [mailto:awnuk at redhat.com]
> Sent: 20 August 2013 23:38
> To: Oleg Antonenko
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] Using SCEP
>
> On 08/20/2013 11:00 AM, Oleg Antonenko wrote:
>> Hi Andrew,
>> Thanks a mil for so speedy response and references.
>>
>> Reading the Automated Enrolment guide I had a thought that Cert Based Auth might work for us.
> Good choice.
>> Here is a line from the guide -
>>
>> "There are other circumstances when it may be useful to use certificate-based authentication for initially requesting a certificate. For example, tokens may be bulk-loaded with generic certificates which are then used to authenticate the users when they enroll for their user certificates..."
>>
>> Do you know if a single generic (or transport) cert could be used for signing SCEP requests for multiple users?
> Transport certificates are used by CA to protect escrowed encryption keys transported to KRA/DRM . I see no relation between transport keys and SCEP. Could you provide more details?
>> If so, I presume we will need both - a transport private key and transport cert for signing requests?
>>
>> Thanks,
>> Oleg
>>
>>
>>
>>
>> -----Original Message-----
>> From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Andrew Wnuk
>> Sent: 20 August 2013 18:15
>> To: pki-users at redhat.com
>> Subject: Re: [Pki-users] Using SCEP
>>
>> SCEP is disabled by default in CA, so you need to enable SCEP first:
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep
>>
>> If you want to use SCEP with CA authentication, you need to enable FlatFileAuthentication plug-in:
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication
>>
>> If you want to use SCEP with RA authentication, you need to follow RA's UI to create one time pins for SCEP requests. RA is using SQLite as its repository so no need to create directory entries.
>>
>> I would advise you to use SCEP with CA only as more improvements were provided in this area.
>>
>> Thanks,
>> Andrew
>>
>>
>>
>> On 08/20/2013 07:10 AM, Oleg Antonenko wrote:
>>> Hi!
>>> I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP.
>>> But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag.
>>>
>>> >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA.
>>> As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP.
>>> Is that correct?
>>>
>>> I did not get an impression that I have to do same when sending SCEP requests directly to CA.
>>> Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly?
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list