[Pki-users] keygen support in RA

Dmitri Pal dpal at redhat.com
Wed Jun 8 23:27:52 UTC 2011 

On 06/08/2011 07:22 PM, Mike Helm wrote:
> Andrew Wnuk writes:
>> On 06/08/2011 02:46 PM, Mike Helm wrote:
>>> Andrew Wnuk writes:
>>>> Will Safari on iPad work similar way?
>>> ipad/iphone seems to lack crypto services - there's nothing presented
>>> by<keygen>,&  no keys are generated.  I don't find any UI for certificate
>>> management either but I don't know very much about this platform.
>>>
>>> We suspect Apple is going to (or maybe does) support certificates by
>>> generating keys, signing,&  pushing to the device.  I'd like to be
>>> wrong about all of this - if we had some certificate UI we could
>>> start supporting this platform in some capacity, which would be very
>>> welcome.  Thanks, ==mwh
>> I saw some references on the net saying that iPad could use SCEP 
>> protocol to deploy certificates.
>> (http://images.apple.com/ipad/business/pdf/iPad_Deployment_Scenarios.pdf)
>> Have you tried this?
> No we haven't but thanks for that tip - will definitely look into this.
>
> My _guess_ at this point is that the platform can't generate the keys,
> it needs to get them from somewhere else.   Having never used SCEP I don't
> know if the ipad platform can use a bare key pair to craft a signed SCEP
> request or not.  Otherwise, I read the page as discussing various methods the ipad
> can use to download a certificate from a smarter one - like your Mac laptop.
> However, the page doesn't seem to distinguish the private key handling from
> cert handling, so....
>
> Hand-me-down certificates fit our working scenarios today but we'll soon have customers that
> want to conduct these transactions directly on their mobile platform.  I think that'll
> mean we have to have a key pair generator or some other trusted service.
>
> Thanks, ==mwh
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
I wonder if certmonger would be useful in this case.
It can request certificates on behalf other constituents.
It definitely works with IPA but it might not work with raw Dogtag.
Would you consider evaluating this approach?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Pki-users mailing list