Hello Max,
Thanks for the valuable information.
--- On Tue, 6/4/10, Massimiliano Pala <p...@cs.dartmouth.edu> wrote:
> From: Massimiliano Pala <p...@cs.dartmouth.edu>
> Subject: Re: [Openca-Users] Automated Certificate issuance
> To: nitin...@yahoo.com, "Users' Help and Suggestions"
> <openca-users@lists.sourceforge.net>
> Date: Tuesday, 6 April, 2010, 9:19 PM
> Hello Nitin,
>
> OpenCA supports two ways to automatically issue
> certificates. The first is
> to use the AutoCA function that let you issue certificates
> automatically based
> on several criteria (request is singed, approved, role,
> etc.) and you can
> activate it via the web interface. For CRLs there is the
> AutoCRL command that
> provide similar functionality but for CRLs. Also, for
> automatic emailing to
> users/clients there is the Auto-Email command that allows
> you to automatically
> send warnings (eg., for expiration) or emails (eg., on
> certificate issuing)
> to clients.
>
> The other option is to use the batch interface that lets
> you issue requests/
> certificates without user actions. The downside of the
> batch interface is the
> lack of a good documentation.
>
> To use automated clients you might want to consider using
> the SCEP protocol/
> interface. There are several clients out there available
> for free and we do
> provide a client in LibPKI.
I read some basic about the the SCEP protocol and my understanding is that
a client software like "SSCEP" on the network device and the SCEP interface of
OpenCA interface on server would solve the problem of automated clients
requesting for a certificate signing and OpenCA signing it based on some
criteria.
What I want to do is,
Whenever the network devices are put online for the first time, they request
for a certificate signing, which they will use for further communications with
a data server. The request should go with some device identification
information and also some sort of credentials being entered by a human(which
sort of authenticates the device or binds the device to its public key).
The CA software then, checks the device identification information and the
authentication credentials supplied, and if all of these are satisfactory signs
the certificate.
Can you please give me some feedback about the approach and also give some
inputs on how this can be implemented using SSCEP on client and OpenCA on
server.
Thanks and regards
-Nitin
>
> Also, you might want to consider installing the PRQP server
> which allows clients
> to ask "Where is the CRL from this CA ?" orĀ "Where is
> the SCEP gatway ?" or,
> again "Where is the HTML revocation gateway for this CA ?".
> We are starting
> to deploy the protocol in several communities and we hope
> to have it as a
> IETF standard soon.
>
> Cheers,
> Max
>
>
> On 04/06/2010 07:13 AM, Nitin Mahajan wrote:
> > HI!
> >
> > I am completely new to OpenCA.
> >
> > I just wanted to know, whether OpenCA once setup, can
> automatically sign and issue client certificates(based on
> predetermined criteria), with out a human intervention to
> every certificate request?
> >
> > I just wanted to use this to issue first time
> certificates to automated clients. Would this be right
> approach?
> >
> >
> > regards
> > -Nitin
>
>
Get your new Email address!
Grab the Email name you've always wanted before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
