Thanks Oliver - your post helped me think though our deployment. I think we can simplify things by using a the same cert on each RADIUS server for each EAP instance. Then we can renew it with a 'sign on behalf'.
I wish I had the skills to contribute to any of the great open source projects we love and use. I'd gladly do so! On Tue, May 23, 2023 at 10:49 PM, Oliver Welter <[email protected]> wrote: > Hi Nick, > > OpenXPKI supports so called "Signer On Behalf" so in case you are managing > those certs from a central location it might be worth to just have ONE > authentication certificate to sign the end-entity requests but in the end > this will also have the same "password issue" :( > > As sscep is an OpenSource project feel free to add password support to it, > if you are good enough with perl you might also use the new SCEP modules > from OpenXPKI to write your own perl-based client (which can handle > password protected keys). Well and if a commercial license is an option - > we might have something in our toolbox ;) > > best regards > > Oli > > On 22.05.23 15:29, Nick Dawson wrote: > > Hey folks - I've been working on a script to automate the renewal of > freeradius certs via sscep against OpenXPKI's scep implementation. > > The challenge (pun intended?) is that all my keys have a passphrase. I > could use openssl to strip the pass phrase, renew the cert, and then re-add > the phrase, but that feels clunky. It doesn't seem that sscep allows piping > in the passphrase from a file or the command line and I know this isn't an > sscep support list, so we don't have to get deep in to the weeds there. > > But I'm curious if OpenXPKI or this group has any tips or ideas? Is there > some way to avoid passing the key all together for the cert renewal? Anyone > have clever ideas? > > Thanks in advance for any thoughts you have. If I can get this working. > I'll be glad to share the end result. > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
