Hi, >>>usaly i used sscep with the configfile and this worked fine so far >> OK, haven't tried this yet. >> > try the sscep.conf file from the posting i mentioned, of course you have > to adopt paths and so on ;)... but thats clear i guess
I'll have a look at it. After autoscep... :-) >> OK, I do NOT have an RA certificate, instead I am using a certificate >> I created solely for the SCEP Interface. If I understand the code >> correctly, it should not be necessary to use the RA certificate. >> > yes, but for ease of use, i usaly tell ppl to generate 'a ra > certificate' means ssl-web-server cert, should work with scep-interface > (to choose from the predefined roles, most ppl won't start up with > generating new profiles... of course it should work with a selfmade role > policy too If I am not mistaken then the SCEP Cert needs the dataEncryption keyUsage. However, as in the default install the key usage is not flagged critical it is possible to "abuse" a TLS Server cert for SCEP. But this is not a clean solution, I think. >> <option> >> <name>SCEP_RA_PASSWD</name> >> <value>xxxx</value> >> </option> >> > �hm yes, i think thats the problem on openca side ;) > don't hit me, but, i think the passwd stuff doesn't work right with the > current scep implementation, means, the key shouldn't be encrypted, i > havn't digged this down in the scep-code yet, either its completly > missing code, or somehow faulty... I won't hit you for that. I am going to hit whoever is responsible for the non-existing debugging and, more importantly, error checking code in the SCEP Server. OK, not really. But this must (and will) be addressed soon. Concerning the private key I think I encountered a problem with *unencrypted* keys. If I remember correctly the command line is not properly built for the openca-scep command if no key passphrase is specified, resulting in an error message of openca-scep that was nicely sent back to the SCEP client (because the program usage used to be printed to STDOUT instead of STDERR). Thus I am using encrypted RSA keys and it seems to work for me. > the 'reason' why its not fixed yet is, since the config is readable by > apache user und the pwd too, it doesn't makes a huge difference if one > puts the key unencrypted on the filesystem just readable for the apache > or pki user... whatever is needed or encrypt it and put plaintext pwd in > config... (but i should add a comment about this in the config file - > right) Agreed. Martin ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
