Hi,
I'd like to discuss some extensions to the SCEP interface that I
am planning for our local environment that might be useful for
submission back to the project.
New SCEP requests are currently always inserted into the database
with a fixed role of "VPN_SERVER". In addition the RA is not set
for SCEP requests.
Currently I have to edit the scepPKIOperation source code to change this
role, and I would like to make this configurable. This would primarily
be useful for environments where *new* clients enroll via SCEP.
In our environment we have SCEP clients that require more than
one different certificate profiles.
In addition, *new* client enrollment shall *not* work via SCEP (for
us!), only *renewal* of an existing certificate, so I would like
to enforce this on the interface.
This should be made configurable, too.
When performing a renewal, then it seems sensible to fetch the old
certificate's data from the database and base the new request on
the old data, in particular the certificate's role and the RA to enroll
on.
So I think I will extend the SCEP interface in the following way:
- add a configuration directive that prevents new enrollment via SCEP
and only allows renewal, e. g.:
ScepAllowEnrollment = YES|NO
-> if set to yes, SCEP interface allows new clients to enroll
ScepAllowRenewal = YES|NO
-> if set to yes, SCEP interface allows enrollment for already existing
certs
- add a configuration directive that allows to define the default
role to use if nothing is known about the requested role
ScepDefaultRole = VPN Server
-> Use "VPN Server" if this is a new enrollment. For renewal requests,
query the database and use the role of the old certificate.
- add a configuration directive that allows to define the default RA
to register the new request at
ScepDefaultRA = MyRa
For some setups it may be required to allow *new* enrollment of
new clients for different roles, so it might be desirable to have
multiple SCEP CGI interfaces configured. Each of these SCEP interfaces
could use its own config file, making it possible to specify different
default roles and/or RAs.
Comments, anyone?
Martin
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
