[Pki-users] Dogtag autoenrollment from an embedded Linux device
Christina Fu
cfu at redhat.com
Thu Dec 17 04:59:07 UTC 2009
Craig Zeller - SysAdmin wrote:
> We have been testing pki-ra-1.2.0-2 on Fedora 11 via SSCEP as
> a possible solution.
>
> Our problem is that we need to be able to automatically deploy
> certificates to thousands of embedded Linux devices, each
> equipped with a common initial shared-secret or cert. Each needs
> to be able to enroll, recover an initial individual cert based
> on the system's serial number, and renew the cert... all over
> a dial-up connection.
>
For initial enrollment, have you tried the bulkissuance tool? You get
the cert auto-approved and returned immediately, provided you have the
authorized agent cert to sign:
http://www.redhat.com/docs/manuals/cert-system/8.0/cli/html/Bulk_Issuance_Tool.html
You could use certutil to generate csrs.
for renewal, there are different ways, but the easiest way for you is to
re-submit the same request (assuming you saved it).
> SSCEP seems to be falling out of the solution based on the
> requirement for one-time PINs and manual approval of the requests.
> Although the web interface works beautifully, we can't seem
> to get SSCEP working.
>
> We've looked at the CMCEnroll tool, but that requires Java which
> is not part of the embedded software. This is an embedded flash
> rom based system that does not have the memory available. Any
> suggestions? I'd hate to have to cave-in to those that want a
> Microsoft solution.
>
> Craig Zeller
> <czeller at sjm.com>
>
>
> This communication, including any attachments, may contain information that is proprietary, privileged, confidential or legally exempt from disclosure. If you are not a named addressee, you are hereby notified that you are not authorized to read, print, retain a copy of or disseminate any portion of this communication without the consent of the sender and that doing so may be unlawful. If you have received this communication in error, please immediately notify the sender via return e-mail and delete it from your system.
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list