[Freeipa-users] Re: SCEP

Thu, 17 Nov 2022 11:19:57 -0800 


On 2022-11-17 14:55, Rob Crittenden via FreeIPA-users wrote:

Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:




On 17 Nov 2022, at 10:15, Alexander Bokovoy <aboko...@redhat.com> 
wrote:



On to, 17 marras 2022, Francis Augusto Medeiros-Logeay via 
FreeIPA-users wrote:

Hi,


I try to find good documentation on SCEP and FreeIPA, but I cannot 
find something that seems updated nor conclusive.



Does FreeIPA support SCEP out of the box, or does it need some 
hacking to do so?



And does it support other types of certificate enrolment besides its 
own api/client?





Thanks a lot for a very explanatory answer as usual, Alexander.


It really depends on what you are asking for: FreeIPA as an 
integrated

CA or FreeIPA as a consumer of some other CA.


I was thinking more as FreeIPA and its own CA.


As a consumer of some other CAs, certmonger supports requesting
certificates through SCEP. See certmonger-scep-submit(8) man page and
/usr/share/doc/certmonger/scep.txt for details.

FreeIPA integrated CA does not support SCEP itself. Well, Dogtag PKI

does have support for SCEP responder but it is not configured by 
default

and is not supported in IPA frontend that does verification of the
request.



Yes, I guess that this is what some of the documents I’ve seen around 
say.



FreeIPA integrated CA supports ACME protocol (same as Let's Encrypt).
Would using ACME be a better option?



I was thinking of trying to use FreeIPA with some MDM solutions, and 
the one I am trying (Workspace ONE) does not support ACME, 
unfortunately.


I think the dogtag SCEP server might be difficult to use in automation.

It uses a flat authentication file consisting of the remote IP address

and PIN, probably making it difficult for mobile devices which don't 
use

static addresses. Creating some sort of middle-man service that updates
the file and returns the PIN to use would be a security target.




Thanks Rob. I think most people would use a proxy anyway since the PKI 
usually is on prep and secluded, while the clients can be anywhere - but 
I might be wrong.


Best,

Francis
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to