[Pki-users] Using SCEP
Andrew Wnuk
awnuk at redhat.com
Tue Aug 20 17:14:40 UTC 2013
SCEP is disabled by default in CA, so you need to enable SCEP first:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Enrolling_a_Certificate_in_a_Cisco_Router.html#enabling-scep
If you want to use SCEP with CA authentication, you need to enable
FlatFileAuthentication plug-in:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Certificate_System/8.1/html/Admin_Guide/Automated_Enrollment.html#Flat_file_Authentication
If you want to use SCEP with RA authentication, you need to follow RA's
UI to create one time pins for SCEP requests. RA is using SQLite as its
repository so no need to create directory entries.
I would advise you to use SCEP with CA only as more improvements were
provided in this area.
Thanks,
Andrew
On 08/20/2013 07:10 AM, Oleg Antonenko wrote:
> Hi!
> I'm planning to evaluate Dogtag CA for issuing certs for mobile devices via SCEP.
> But before plunging into full blown installation and tests I'd like to understand overall SCEP cert enrolment workflow supported by Dogtag.
>
> >From the documentation on the web site I've figured out that it is possible to send SCEP requests either to RA or directly to CA.
> As I understood in RA mode a user record with one-time PIN/Challenge has to be created in the 389 Directory first, and then a cert can be requested via SCEP.
> Is that correct?
>
> I did not get an impression that I have to do same when sending SCEP requests directly to CA.
> Does anyone know if I have to create a user record in the 389 DS before sending a SCEP request to CA directly?
>
> Thanks in advance,
> Oleg
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
More information about the Pki-users
mailing list