[Pki-users] SCEP Support

Elliott William C OSS sIT WilliamC.Elliott at s-itsolutions.at
Mon Mar 4 08:56:37 UTC 2013 


-----Original Message-----
From: pki-users-bounces at redhat.com [mailto:pki-users-bounces at redhat.com] On Behalf Of Nathan Kinder
Sent: Donnerstag, 28. Februar 2013 17:11
To: pki-users at redhat.com
Subject: Re: [Pki-users] SCEP Support [bayes][heur]

On 02/27/2013 10:56 PM, Elliott William C OSS sIT wrote:
> Hello,
>
> We currently use SCEP for Cisco Routers with a RedHat CS.
> However as far as we can tell, "CA Key Rollover" is not implemented. Furthermore, we can't find any indication that it's implemented in in Dogtag 9 or 10.
>
> Could anyone confirm this?
> Does anyone work around this problem?
>
> As far as we can see, few or no CA SW supports this, aside from the IOS CA from Cisco.  The SCEP RFC says that the other two PKIX standards for certificate management are superior to SCEP, which has deficiencies, and is quasi-deprecated.  Therefore my assumption is, that no one (other than cisco) plans to invest any effort in expanding SCEP support in Dogtag or any other opensource CA software.
We are actually planning on going through our existing SCEP 
functionality to see what else from the Internet Draft should be 
implemented in Dogtag 10.1.  In addition, we have a few smaller tickets 
related to SCEP in our Trac instance that we plan to look at (details at 
https://fedorahosted.org/pki/).

We are not sure that we will be targeting "CA Key Rollover" specifically 
any time soon, as we want to see if there are more common SCEP use cases 
that should be targeted first.  Is it specifically "CA Key Rollover" you 
are interested in using, or is there anything else from the SCEP 
Internet Draft that you have a use case for as well?

[Elliott William OSS sIT] 
We use a relatively short-lived CA (because of the depth of our pki hierarchy) which requires CA certificate renewal after about 2-3 years. Furthermore, there are over a thousand clients. Therefore the automatic renewal of the CA Certificate on the clients is practically a must have for us (network managers want to ditch dogtag for IOS CA if they have to manually update all clients).

As far as I can see,  GetCACaps and GetNextCACert are the minimum that are needed for CA rollover - maybe more. 

Btw, the REST features look cool with v10.0.

Best regards,
Bill Elliott

Thanks,
-NGK
>
> Best regards,
>      William Elliott
>
>
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

_______________________________________________
Pki-users mailing list
Pki-users at redhat.com
https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list