[Pki-users] SCEP Question
Erwin Himawan
ehimawan at gmail.com
Thu Mar 25 23:25:49 UTC 2010
Hi All,
Has someone confirm that dogtag can be configured such that a SCEP request
from a router is approved manually by an agent at the CA or RA?
The following are the steps I do to test this scenario:
1. In the CA, I create a profile, called router profile.
2. This router profile is similar to the caRouterCert profile
3. In this profile, I disable the visibility such that this profile is not
visible in the CA's end-entity web page.
4. The profile's Certificate Profile Authentication filed is left empty;
implying that the request will be handled by the CA agent.
5. I am using Simple SCEP as my SCEP client.
6. At the sscep client, I generate a CSR using mkrequest. During CSR
generation using the mkrequest, I did not include PIN (or challenge-response
PIN), since did not ask the RA to generate a PIN for me. The reason is, I
would like the agent to manually approve the request.
7. using sscep enroll, I made the scep client to send SCEP enroll to the CA
./sscep enroll -c ca.crt -k local.key -r local.csr -l local.crt -u
http://ca.fqdn:9180/ca/cgi-bin/pkiclient.exe
8. I turned on sscep debug and verbose. From this debug and verbose output,
I observed that the scep client sends HTTP GET
/ca/cgi-bin/pkiclient.exe?operation=PKIOperation&message=MIIH3A.................
9. Also from the sscep debug message, I noticed that the CA responses with
status code 200. The CA sends a PKCS7 payload.
10. Inside the payload is the router certificate.
My question is:. Why the CA does not queue this request for agent approval?
Thanks in advance,
Erwin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20100325/0cc2a5bd/attachment.htm>
More information about the Pki-users
mailing list