On Wed, 2003-12-17 at 05:02, Jon Barber wrote: > Probably your best bet is OpenSCEP : http://openscep.othello.ch/ Having > said that, openca looks very promising and has SCEP support in the CVS > tree at the moment. OpenSCEP is quite lightweight & specific, whereas > OpenCA is trying to be a full blown CA / RA etc. > > > If somebody else is actively working on this, please warn me off... >
We're using an OpenSSL based CA internally, and use OpenSCEP to provide minimal SCEP functionality so that we can get Cisco routers and VPN-3000's working. They generate their own certs, then use SCEP to push their cert request at the CA for signing. Thereafter we use other methods to: a> get a copy of the CA public key - that's all that SCEP is actually required for - all the rest can be done via cut-n-paste. b> download CRLs. We primarily use good old fashion HTTP to download CRLS - our "CRL servers". We have a bunch of them throughout the company WAN (a cronjob rsync's new CRL files from the CA to them whenever it's updated/hourly), and these routers/concentrators point at their local ones. SCEP would be great if we had 100,000's of users, but as we only have a couple of thousand, a "full" CRL file is only every going to contain <100 entries, and the CRL servers are on the same LAN - so who cares about the performance... Obviously Cisco want you to use SCEP for the whole process. Getting the cert req to the CA, signing it, then uploading it back to the router. But I don't trust "automating" SCEP to just blindly sign any outstanding cert request - I mean - what are they on!?!?!?! As we want to manually OK all such requests, the "overhead" of having to cut-n-paste the req is totally ignorable. Anyway, once you've got the process figured out and documented, it's a piece of cake :-) Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
