Nick, do NOT start certificate sharing and I really dont understand how
this matches with "Signer on Behalf"...if you use the Signer On Behalf
pattern from a central machine you can generate an individual cert for
each server...
The idea is as simple as:
* Have a central "provisioning" server
* Give this server a Client certificate
* For each RADIUS server:
o Generate a CSR (preferably on the machine itself)
o Transfer the CSR to the provisioning server
o Send the CSR using the "On Behalf Certificate" to the PKI
o Push the certificate to the RADIUS server
* Self-Renew the OnBehalf certificate once a year
Oli
On 25.05.23 02:04, Nick Dawson wrote:
Thanks Oliver - your post helped me think though our deployment. I
think we can simplify things by using a the same cert on each RADIUS
server for each EAP instance. Then we can renew it with a 'sign on
behalf'.
I wish I had the skills to contribute to any of the great open source
projects we love and use. I'd gladly do so!
On Tue, May 23, 2023 at 10:49 PM, Oliver Welter <[email protected]> wrote:
Hi Nick,
OpenXPKI supports so called "Signer On Behalf" so in case you are
managing those certs from a central location it might be worth to
just have ONE authentication certificate to sign the end-entity
requests but in the end this will also have the same "password
issue" :(
As sscep is an OpenSource project feel free to add password
support to it, if you are good enough with perl you might also use
the new SCEP modules from OpenXPKI to write your own perl-based
client (which can handle password protected keys). Well and if a
commercial license is an option - we might have something in our
toolbox ;)
best regards
Oli
On 22.05.23 15:29, Nick Dawson wrote:
Hey folks - I've been working on a script to automate the
renewal of freeradius certs via sscep against OpenXPKI's
scep implementation.
The challenge (pun intended?) is that all my keys have a
passphrase. I could use openssl to strip the pass phrase,
renew the cert, and then re-add the phrase, but that feels
clunky. It doesn't seem that sscep allows piping in the
passphrase from a file or the command line and I know this
isn't an sscep support list, so we don't have to get deep in
to the weeds there.
But I'm curious if OpenXPKI or this group has any tips or
ideas? Is there some way to avoid passing the key all together
for the cert renewal? Anyone have clever ideas?
Thanks in advance for any thoughts you have. If I can get this
working. I'll be glad to share the end result.
_______________________________________________
OpenXPKI-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/openxpki-users
<https://lists.sourceforge.net/lists/listinfo/openxpki-users>
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
