Hello Pascal,
for scep usage u will need at least:
ca, ra and scep interface you should: - have a selfsigend ca-cert not exceeding 2048bit (cisco limit) - have a ca-signed web-server cert (for example) for the scep-interface - secure your ra, like you want/need
- you have to edit-scep requests usaly to get them working
at the ra-interface befor approving them
- move all requested atributes into normal ones
(the one which are connected via + in the request)
- add additional san-atributes: dns and ip with same
values like in the request at: unstructuredName and
unstructuredAddress (cisco requirements, at least for pix
but works for the routers too, havn't tested any further)additional have a look at the dev-list, there are some improvements for the scepPKIOperation script, which are not part of cvs yet..., which may automate some of the necessary editing and simplifies processing...
the certs and keys (for scep-interface for example) you can simply generate through openca...
yes you have to edit config.xml and run configure_etc.sh yes, there is no default out of the box scep-scenaria yet
but there are confirmed working installations for cisco equipment, 7xxx router series and pix firewall series...
i tested both myself and its working means: cisco network equipment can talk to the scep-interface request and install ca/ra (this is the scep-interface cert) certs request and install certificate request and update crls (through scep)
you should configure your cisco stuff to talk to an ra not an ca
so far this are all hints i may give in a short
i'm not available whole next week, but we have some more developer and users of scep on the lists, which may assist you so far...
depending on the whole installation you may also have to check dataexchange configuration and other things, define own roles and so on ;) but this independent for each installation and have to be setup for your environment and requirments of course (online/offline ca, one, more machines and so on)...
greetings dalini
Pascal VERMEIRE wrote:
Hi folks,
At the moment we need the openca server for cisco-vpn-device authentication. So I suppose that only the CA-server and SCEP-server need to be installed (is this correct - or is only the scep-interface needed so that the certificates for the vpn-devices are generated by the scep-server instead of the ca-server ??). We still need to edit the config.xml (or scep.conf and run the script but for us the following point in the administration guide is not clear - you have to fill out following parameters:
ScepRAKey, ScepRACert, CepRAPasswd
How must be generate this key,certificate ? or where do we get if from ? Why do you need this key and certificate as you should have a key and self signed certificate for the ca-server which will issue certificates for all vpn-devices ?
tia
Pascal Vermeire
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
