[Pki-users] Dogtag autoenrollment from an embedded Linux device

Dmitri Pal dpal at redhat.com
Thu Dec 17 04:26:58 UTC 2009 

Craig Zeller - SysAdmin wrote:
> We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
> a possible solution.
>
> Our problem is that we need to be able to automatically deploy
> certificates to thousands of embedded Linux devices, each 
> equipped with a common initial shared-secret or cert. Each needs
> to be able to enroll, recover an initial individual cert based
> on the system's serial number, and renew the cert... all over
> a dial-up connection.
>
> SSCEP seems to be falling out of the solution based on the 
> requirement for one-time PINs and manual approval of the requests.
> Although the web interface works beautifully, we can't seem
> to get SSCEP working.
>
> We've looked at the CMCEnroll tool, but that requires Java which
> is not part of the embedded software. This is an embedded flash
> rom based system that does not have the memory available. Any
> suggestions? I'd hate to have to cave-in to those that want a
> Microsoft solution.
>
> Craig Zeller
> <czeller at sjm.com>
>
>
> This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure.  If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful.  If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system.
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>   
Hi,

Will that help as a client?
https://fedorahosted.org/certmonger/

It will work with IPA v2 which in turn will embed CA&RA and would not
require manual approval.
Community release of IPA v2 has now shifted to the beginning of next year.
You can read about IPA on www.freeIPA.org.
If it does not come up please try again a day later. There are some DNS
issues being sorted out. The site just moved from one place into another
and is not fully back online but we expect it to get online any day.

-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Pki-users mailing list