Hi Julien, > And, I’m just wondering, could OpenXPKI just act as a SCEP server with my > current Microsoft SubCA ? > Or do I really need to configure a new OpenXPKI SubCA for SCEP to be working ?
In general, OpenXPKI Enterprise Edition does support this mode of operation. Please note that this feature is not available for OpenXPKI Community Edition. We call it RA/CA split, and this feature essentially allows chaining OpenXPKI with itself or another PKI product. Normally this feature is used to separate the RA side (handling requests) from the actual CA issuance (CA side). This mode will allow to configure the SCEP server on the RA instance which then forwards certificate requests to the CA backend for issuance. This works well with OpenXPKI itself as a backend and e. g. public CAs where a public CA such as DigiCert, Verisign or LetsEncrypt issues the actual certificate. It is possible to attach different PKI products as CA backend, but here is the catch: Microsoft CA is too limited to allow this mode of operation. It is not easily possible to interface with Microsoft CA properly to attach it as an issuing CA with an OpenXPKI RA frontend. There may be ways, but they are clumsy. If you need assistance on this I would recommend to approach this off-list. Get in touch with White Rabbit Security and we can discuss your options. Cheers, Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
