<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:10pt"><div><span>Hi Christina,</span></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span>Thanks for the reply. I will go through the attached email.</span></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span style="background-color: transparent;"><br></span></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span style="background-color: transparent;">I had another question - I see that Doghat is supported on Fedora and RHEL. Is it possible to run Doghat on Ubuntu host? Has anyone tried it and any thoughts on how to make Doghat work on Ubuntu?</span><br></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;">Thanks,</div><div style="color: rgb(0, 0, 0); font-size: 13px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-style: normal; background-color: transparent;">Abha</div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr"> <font size="2" face="Arial"> On Wednesday, July 2, 2014 7:17 PM, Christina Fu <cfu@redhat.com> wrote:<br> </font> </div> <br><br> <div class="y_msg_container"><div id="yiv4004245320"><div> I have not played with it, at least not for a long long time, but you can try out the documentation pointed to from some past thread... see attached.<br clear="none"> <br clear="none"> Regarding SCEP messages, we do not support fully, so the answer is no, not yet.<br clear="none"> <br clear="none"> Christina<br clear="none"> <br clear="none"> <div class="yiv4004245320yqt0427215909" id="yiv4004245320yqt77829"><div class="yiv4004245320moz-cite-prefix">On 07/02/2014 11:27 AM, Abha Jain wrote:<br clear="none"> </div> <blockquote type="cite"> <div style="color: rgb(0, 0, 0); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 10pt; background-color: rgb(255, 255, 255);"> <div class="yiv4004245320" style="">Hi All,</div> <div class="yiv4004245320" style=""><br clear="none" class="yiv4004245320" style=""> </div> <div class="yiv4004245320" style="background-color:transparent;">We are looking at using Doghat CA server with Cisco routers. I had a few questions on the support included in Doghat certificate system.</div> <div class="yiv4004245320" style="background-color:transparent;"><br clear="none" class="yiv4004245320" style=""> </div> <div class="yiv4004245320" style="background-color:transparent;">I just started working on PKI, so please excuse if the questions are quite basic.</div> <div class="yiv4004245320" style="background-color:transparent;"><br clear="none" class="yiv4004245320" style=""> </div> <div class="yiv4004245320" style="background-color:transparent;">1. The Doghat system is built on top of NSS (Network Security Services). Does it have any issues working with Cisco routers as clients using SCEP? Would there be any OpenSSL and NSS interactions in this case?</div> <div class="yiv4004245320" style="background-color:transparent;"><br clear="none" class="yiv4004245320" style=""> </div> <div class="yiv4004245320" style="background-color:transparent;">2. Does Doghat support <span class="yiv4004245320" style="font-size:10pt;">CA Certificate rollover? When CA certificate is about to expire, CA creates a shadow certificate. All the endpoints associated with that CA can then renew their ID certificates (this requires support for SCEP Messages such as </span><span class="yiv4004245320" style="font-size:10pt;">GetNextCACert, GetCACaps).</span></div> <div class="yiv4004245320" style="font-size:10pt;background-color:transparent;"><span class="yiv4004245320" style="font-size:10pt;"><br clear="none" class="yiv4004245320" style=""> </span></div> <div class="yiv4004245320" style="background-color:transparent;">Thanks in advance for your help!</div> <div class="yiv4004245320" style="background-color:transparent;">-Abha</div> <div class="yiv4004245320" style="background-color:transparent;"> </div> <div class="yiv4004245320" style=""><br clear="none" class="yiv4004245320" style=""> </div> </div> <br clear="none"> <fieldset class="yiv4004245320mimeAttachmentHeader"></fieldset> <br clear="none"> <pre>_______________________________________________ Pki-users mailing list <a rel="nofollow" shape="rect" class="yiv4004245320moz-txt-link-abbreviated" ymailto="mailto:Pki-users@redhat.com" target="_blank" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a> <a rel="nofollow" shape="rect" class="yiv4004245320moz-txt-link-freetext" target="_blank" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre> </blockquote></div> <br clear="none"> </div></div><div class="yqt0427215909" id="yqt60014">SCEP is disabled by default in CA, so you need to enable SCEP first:<br clear="none"><a shape="rect" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep</a><br clear="none"><br clear="none">If you want to use SCEP with CA authentication, you need to enable <br clear="none">FlatFileAuthentication plug-in:<br clear="none"><a shape="rect" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication" target="_blank">https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication</a><br clear="none"><br clear="none">If you want to use SCEP with RA authentication, you need to follow RA's <br clear="none">UI to create one time pins for SCEP requests. RA is using SQLite as its <br clear="none">repository so no need to create directory entries.<br clear="none"><br clear="none">I would advise you to use SCEP with CA only as more improvements were <br clear="none">provided in this area.<br clear="none"><br clear="none">Thanks,<br clear="none">Andrew<br clear="none"><br clear="none"><br clear="none"><br clear="none">On 08/20/2013 07:10 AM, Oleg Antonenko wrote:<br clear="none">> Hi!<br clear="none">> I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP.<br clear="none">> But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag.<br clear="none">><br clear="none">> >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA.<br clear="none">> As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP.<br clear="none">> Is that correct?<br clear="none">><br clear="none">> I did not get an impression that I have to do same when sending SCEP requests directly to CA.<br clear="none">> Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly?<br clear="none">><br clear="none">> Thanks in advance,<br clear="none">> Oleg<br clear="none">><br clear="none">> _______________________________________________<br clear="none">> Pki-users mailing list<br clear="none">> <a shape="rect" ymailto="mailto:Pki-users@redhat.com" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br clear="none">> <a shape="rect" href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br clear="none"><br clear="none">_______________________________________________<br clear="none">Pki-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:Pki-users@redhat.com" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br clear="none"><a shape="rect" href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a><br clear="none"><br clear="none"></div><br><div class="yqt0427215909" id="yqt09279">_______________________________________________<br clear="none">Pki-users mailing list<br clear="none"><a shape="rect" ymailto="mailto:Pki-users@redhat.com" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a><br clear="none"><a shape="rect" href="https://www.redhat.com/mailman/listinfo/pki-users" target="_blank">https://www.redhat.com/mailman/listinfo/pki-users</a></div><br><br></div> </div> </div> </div> </div></body></html>