Hi, quick update: I have a local version of scepPKIOperation that implements a lot of the stuff I mentioned in the post and works fine for me. It also includes some debugging code and I cleaned it up a bit. I won't commit it to CVS yet, because I am not yet done with it.
I attach the current version to this mail. It replaces the same file from the lib/cmds directory. Additional config settings required in etc/servers/scep.conf: -------- # 2005-01-24 MB - local configuration # Set to "YES" if you want to allow initial enrollment via SCEP ScepAllowEnrollment "YES" # Set to "YES" if you want to allow renewal via SCEP ScepAllowRenewal "YES" ScepDefaultRole "VPN Server" ScepDefaultRA "RA" # If an existing cert was found in the DB whose portion of the DN # specified here matches the incoming request, use the archived # role and RA for the renewal request. # In this example only the CN of the incoming request is matched. # Depends on your installation and is only useful if the CN is unique. # If you want a more specific match, you might want to use "CN, OU, O, C" # or similar here. ScepRenewalRDNMatch "CN" --------- >> Currently I have to edit the scepPKIOperation source code to change this >> role, and I would like to make this configurable. This would primarily >> be useful for environments where *new* clients enroll via SCEP. >> > sure, good idea and shouldn't be to much work > would there be a seperate scep.(xml?) conf file or > do we put it in the general? scep.conf. >> ScepAllowEnrollment = YES|NO >> -> if set to yes, SCEP interface allows new clients to enroll >> ScepAllowRenewal = YES|NO >> -> if set to yes, SCEP interface allows enrollment for already existing >> certs > sounds ok for me, one question, do you plan to put the new ca-rollover > already in the interface, even if openca itself does not support this yet? No, for the new stuff we will have to redo the scep interface. Renewal in this context is client renewal only, not CA rollover. >> new clients for different roles, so it might be desirable to have >> multiple SCEP CGI interfaces configured. Each of these SCEP interfaces >> could use its own config file, making it possible to specify different >> default roles and/or RAs. > is this working for the clients? often u can only specify one path to > the ca/ra... but then how would the configuration looks like? > > so there will be a scep##.xml per interface? Don't know yet. I thought about different SCEP frontend with distinct config files, but I currently do not need it yet. The clients would have to use different URLs to select "their" interface, of course. Comments on the attached files are welcome. Disclaimer: work in progress, not finished, may contain bugs etcetc. Martin
scepPKIOperation
Description: Binary data
