[Pki-users] Using SCEP
Andrew Wnuk
awnuk at redhat.com
Mon Aug 26 20:24:14 UTC 2013
On 08/21/2013 12:32 PM, Alexander Jung wrote:
> Hi,
>
> we gathered some experience using scepand dogtag. To be a little more
> precise we are issuingcerts to ciscorouters by the thousands (the
> whole salesforceneeds these...)
>
> The current implementation works, but leaves still some space for
> improvement :-)
>
> Your client initially needs a password that must be known to the ca in
> the flatfileauth-file used for your scepprofile. The CA has a simple
> (more example) application to request such a password, we tied it to
> our order system to further authenticate those requests.
>
> When your CA certificate (or the certificate you are using for scep)
> sits in a HSM, you'll need quite an extension for the existing code,
> as the current code will not be able to decrypt the requests (in this
> case due to ciscoserror - but we have to serve our clients...)
>
> The flatfileauthmodule still has a longstanding bug (from the
> iplanetdays of the dogtagcode), that prevents it to work with other
> tag-names than the default ones, easy to fix, but hair tearing when
> you debug it. (See
> https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html
> <https://www.redhat.com/archives/pki-devel/2009-February/msg00000.html> for
> details)
>
> The ciscoclient still complains on some operations not being
> implemented, but works after those modifications
>
> Yours,
>
> Alexander
Hi Alexander,
Thank you for detailed description. Could you open tickets
<https://fedorahosted.org/pki/report>or bugs
<https://bugzilla.redhat.com/>describing above issues? This would really
help us to clean them.
Thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130826/00e62765/attachment.htm>
More information about the Pki-users
mailing list