[Pki-users] Dogtag autoenrollment from an embedded Linux device

Arshad Noor arshad.noor at strongauth.com
Thu Dec 17 04:43:07 UTC 2009 

Have you considered using a proxy between your embedded devices
and the PKI?  With such a scheme you can pretty much do anything
you want and shield the devices and the PKI from changes to their
respective interfaces.

A solution such as this (that we deployed last year) works well
for a bio-tech firm that is embedding digital certificates into
"throw-away" consumables with embedded processors.  The proxy
machine is a PC with custom a application responsible for
provisioning certificates to the embedded devices (based on
serial number, lot #, etc.), and bridges the devices to the PKI.

Arshad Noor
StrongAuth, Inc.


Craig Zeller - SysAdmin wrote:
> We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
> a possible solution.
> 
> Our problem is that we need to be able to automatically deploy
> certificates to thousands of embedded Linux devices, each 
> equipped with a common initial shared-secret or cert. Each needs
> to be able to enroll, recover an initial individual cert based
> on the system's serial number, and renew the cert... all over
> a dial-up connection.
> 
> SSCEP seems to be falling out of the solution based on the 
> requirement for one-time PINs and manual approval of the requests.
> Although the web interface works beautifully, we can't seem
> to get SSCEP working.
> 
> We've looked at the CMCEnroll tool, but that requires Java which
> is not part of the embedded software. This is an embedded flash
> rom based system that does not have the memory available. Any
> suggestions? I'd hate to have to cave-in to those that want a
> Microsoft solution.
> 
> Craig Zeller
> <czeller at sjm.com>
> 
> 
> This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure.  If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful.  If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system.
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list