Martin Bartosch wrote:
Hi,
I'd like to discuss some extensions to the SCEP interface that I
am planning for our local environment that might be useful for
submission back to the project.
I just read this now, since my spamfolder got it in somehow ;)
anyway:
New SCEP requests are currently always inserted into the database
with a fixed role of "VPN_SERVER". In addition the RA is not set
for SCEP requests.
Currently I have to edit the scepPKIOperation source code to change this
role, and I would like to make this configurable. This would primarily
be useful for environments where *new* clients enroll via SCEP.
sure, good idea and shouldn't be to much work
would there be a seperate scep.(xml?) conf file or
do we put it in the general?
us!), only *renewal* of an existing certificate, so I would like
to enforce this on the interface.
This should be made configurable, too.
see above
So I think I will extend the SCEP interface in the following way:
- add a configuration directive that prevents new enrollment via SCEP
and only allows renewal, e. g.:
ScepAllowEnrollment = YES|NO
-> if set to yes, SCEP interface allows new clients to enroll
ScepAllowRenewal = YES|NO
-> if set to yes, SCEP interface allows enrollment for already existing
certs
sounds ok for me, one question, do you plan to put the new ca-rollover
already in the interface, even if openca itself does not support this yet?
- add a configuration directive that allows to define the default
role to use if nothing is known about the requested role
ScepDefaultRole = VPN Server
-> Use "VPN Server" if this is a new enrollment. For renewal requests,
query the database and use the role of the old certificate.
- add a configuration directive that allows to define the default RA
to register the new request at
ScepDefaultRA = MyRa
i think, they are all usefull extensions and configuration options
new clients for different roles, so it might be desirable to have
multiple SCEP CGI interfaces configured. Each of these SCEP interfaces
could use its own config file, making it possible to specify different
default roles and/or RAs.
is this working for the clients? often u can only specify one path to
the ca/ra... but then how would the configuration looks like?
so there will be a scep##.xml per interface?
greetings
dalini
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
