Zitat von [EMAIL PROTECTED]:
I think you meen this:
<name>SCEP_RA_CERT</name>
<value>/.../scep_cert.pem</value>
</option>
<option>
<name>SCEP_RA_KEY</name>
<value>/.../scep_pkey.pem</value>
</option>
<option>
<name>SCEP_RA_PASSWD</name>
<value>1234567890</value>
Can you explain here the single steps, how can I create
or get or who I find the files if they still exists because of Phase II or
Phase III ?
you simply issue a 'vpn-server' key/cert at the ca/ra whatever you
prefer, you would do the same like for ca/ra-operator certs - just
choose another role... like vpn-server or web-server, you may modify
the roles for your needs - like nonrepudiation is usaly not required
for them...
scep setup is not directly included in phases i-iii, since it is a
special setup not everybody needs usally...
this key+cert you put into the mentioned config-parts
at your cisco device you select ra instead of ca as type of the ca -
and after doing the ca-init you will see two certificates - one from
the scep-interface (the one you just generated like an ra-operator) and
the ca-certificate
after this the scep-request (enroll) should produce a
certificate-request in the openca-system you can manually issue like a
normal one... after issuing and transfering to the ra the cisco device
can fetch it from there... if in auto enroll mode it will get it as
soon as it is available there - otherwise you have to request again
from the device ;)
You need to ensure your RA cert does not have a passphrase on it
(though you still need to put a bogus passphrase in config.xml).
hmm at my side it always worked without a bogus one, but anyway this is
something one can check if it doesn't - to support real pwds one should
get to the openca-scep c-code and 'fix' this
Hopefully future releases of OpenCA will simplify this, as I imagine
a lot of people want to use OpenCA solely as a CA for supporting
Cisco VPNs.
Answer: I agree to you
i hope this helped...
Well if it is still not working ask me ;) - I got it working so far
with pix and cisco-router stuff within a day or less - but I'm a bit
bussy at the moment... and don't have time to work for 'free' on such
things
yes and I didn't prepare a real guide so far :/ - no time... the scep
interface doesn't work out of the box, if there is such a great need
such people should maybe tell us this - so we can make it a more
importend task for clarification and documentation updates...
so more community-feedback would be nice too
the most unclear thing seemes to be the part of generating an extra
certificate for the scep-interface i guess from this thread at least...
another point may be (at least former versions of ios and pix-software)
where special attributes in the SANs of certificates...
greetings
dalini
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
