Francis Augusto Medeiros-Logeay via FreeIPA-users wrote: > > >> On 17 Nov 2022, at 10:15, Alexander Bokovoy <[email protected]> wrote: >> >> On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users >> wrote: >>> Hi, >>> >>> I try to find good documentation on SCEP and FreeIPA, but I cannot find >>> something that seems updated nor conclusive. >>> >>> Does FreeIPA support SCEP out of the box, or does it need some hacking to >>> do so? >>> >>> And does it support other types of certificate enrolment besides its own >>> api/client? >> > > > Thanks a lot for a very explanatory answer as usual, Alexander. > >> It really depends on what you are asking for: FreeIPA as an integrated >> CA or FreeIPA as a consumer of some other CA. > > I was thinking more as FreeIPA and its own CA. > >> As a consumer of some other CAs, certmonger supports requesting >> certificates through SCEP. See certmonger-scep-submit(8) man page and >> /usr/share/doc/certmonger/scep.txt for details. >> >> FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI >> does have support for SCEP responder but it is not configured by default >> and is not supported in IPA frontend that does verification of the >> request. > > Yes, I guess that this is what some of the documents I’ve seen around say. > >> FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt). >> Would using ACME be a better option? > > I was thinking of trying to use FreeIPA with some MDM solutions, and the one > I am trying (Workspace ONE) does not support ACME, unfortunately.
I think the dogtag SCEP server might be difficult to use in automation. It uses a flat authentication file consisting of the remote IP address and PIN, probably making it difficult for mobile devices which don't use static addresses. Creating some sort of middle-man service that updates the file and returns the PIN to use would be a security target. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
