Re: [Openca-Users] SCEP and Enterasys VPN Router

Wed, 24 Mar 2004 09:33:27 -0800 

El mi�, 24-03-2004 a las 11:49, dalini escribi�:
> Teo Romera wrote:
> 
> > How about the SCEP thing? The SCEP-speaking router would contact the RA
> > to obtain the CA cert and make a request for its own cert. So will the
> > RA sign the cert for the router? and, can the RA just give out the CA's
> > cert to the router?
> 
> no, i don't know which kind of router you use, but usally you can tell 
> them if they talk directly to an ca or an ra - so they know there is 
> step between

The user's manual says that this will not be a problem. It should be
able to talk to RA or CA.

> 
> that means:
> the communication beetween the scep-interface and the router/clients 
> whoever uses the scep functionality is secured with the cert for this 
> interface, which is signed by the ca too

Ok!! so there is a cert for the scep interface. I guess the router will
ask for al the certs in the chain.

> 
> the ca is always used to issue certificates - the ones for the ra, as 
> for the route as for the clients - its always the ca who does this

Ok, that makes sense.

> 
> > Globally i just need a cert for the SCEP-speaking router and a way to
> > issue certs for the remote access users when they request them. Which
> > should be the "deployment view"? I know I can handle installation and
> > configuration issues, but I just don't see how it all would work
> > altogether.
> 
> usaly the whole administrativa is handeld at the ra-level, if one exists
> so there all the requests will get handeld by one ore more ra-operators
> even the request for the router - this works quite transparent actually

So the users will ask for their certs on the RA web pages, and the
scep-speaking router will ask for certs on the RA's scep interface.

> 
> the ra-operator will see a request, maybe change this an that - than 
> approve it, usally sign with its own cert, so the ca (ca-operator) can 
> later verify who approved the requests

Ok ok... and all of this is still done in the RA.

> 
> then those approved requests get exported (through an usb-stick, a tape, 
> a disk, whatever) transported to the offline-ca - there you import the 
> data through the node-interface (which actually handels the data export 
> and import between the machines) and than the certificates gets issued 
> there either manually or automatically through the batch system

Ok this is exactly what i was wondering.

> 
> then all goes backwards - export certs from the ca - import at the ra
> when the certs are imported at the ra - they can be fetched by the users 
> and also by the route through scep, of course it is possible that a user 
> requests a cert through scep too - if his client supports this and so 
> on, there are a lot of options, depending on your environment and needs 
> and so on... ;o)

And that ends the cycle! Now i see the whole process more clearly.

> 
> and don't forgett to issue a crl - i think the router at least will need 
> one for proper operation - otherwise it could be difficult for him to 
> decide if a certificate is really still valid or not

Yes, of course.

> 
> of course it is possible that this gets handeld all by one person ;o)
> in larger szenarios this gets usaly devided, as there are technicans and 
> people who decide who is allowed to use something - like the vpn-access 
> - are different
> 
> greetings
> dalini

Thank you very much!! This kind of answers are exactly what i was
needing to gain a global point of view of what my deployment should be.

> 
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
> _______________________________________________
> Openca-Users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/openca-users
-- 
Teo Romera <[EMAIL PROTECTED]>



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to