From WilliamC.Elliott at s-itsolutions.at Thu Feb 28 06:56:06 2013 From: WilliamC.Elliott at s-itsolutions.at (Elliott William C OSS sIT) Date: Thu, 28 Feb 2013 06:56:06 +0000 Subject: [Pki-users] SCEP Support Message-ID: <85C87A9995875247B2DD471950E0AE4D1B3DBC0F@M0182.s-mxs.net> Hello, We currently use SCEP for Cisco Routers with a RedHat CS. However as far as we can tell, "CA Key Rollover" is not implemented. Furthermore, we can't find any indication that it's implemented in in Dogtag 9 or 10. Could anyone confirm this? Does anyone work around this problem? As far as we can see, few or no CA SW supports this, aside from the IOS CA from Cisco. The SCEP RFC says that the other two PKIX standards for certificate management are superior to SCEP, which has deficiencies, and is quasi-deprecated. Therefore my assumption is, that no one (other than cisco) plans to invest any effort in expanding SCEP support in Dogtag or any other opensource CA software. Best regards, William Elliott From nkinder at redhat.com Thu Feb 28 16:11:16 2013 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 28 Feb 2013 08:11:16 -0800 Subject: [Pki-users] SCEP Support In-Reply-To: <85C87A9995875247B2DD471950E0AE4D1B3DBC0F@M0182.s-mxs.net> References: <85C87A9995875247B2DD471950E0AE4D1B3DBC0F@M0182.s-mxs.net> Message-ID: <512F81A4.6040401@redhat.com> On 02/27/2013 10:56 PM, Elliott William C OSS sIT wrote: > Hello, > > We currently use SCEP for Cisco Routers with a RedHat CS. > However as far as we can tell, "CA Key Rollover" is not implemented. Furthermore, we can't find any indication that it's implemented in in Dogtag 9 or 10. > > Could anyone confirm this? > Does anyone work around this problem? > > As far as we can see, few or no CA SW supports this, aside from the IOS CA from Cisco. The SCEP RFC says that the other two PKIX standards for certificate management are superior to SCEP, which has deficiencies, and is quasi-deprecated. Therefore my assumption is, that no one (other than cisco) plans to invest any effort in expanding SCEP support in Dogtag or any other opensource CA software. We are actually planning on going through our existing SCEP functionality to see what else from the Internet Draft should be implemented in Dogtag 10.1. In addition, we have a few smaller tickets related to SCEP in our Trac instance that we plan to look at (details at https://fedorahosted.org/pki/). We are not sure that we will be targeting "CA Key Rollover" specifically any time soon, as we want to see if there are more common SCEP use cases that should be targeted first. Is it specifically "CA Key Rollover" you are interested in using, or is there anything else from the SCEP Internet Draft that you have a use case for as well? Thanks, -NGK > > Best regards, > William Elliott > > > > _______________________________________________ > Pki-users mailing list > Pki-users at redhat.com > https://www.redhat.com/mailman/listinfo/pki-users