Hi there We're looking at introducing Mobile Device Management into our organization and we have a home-built PKI based around openssl command line tools and a bunch of shell scripts. Works well, very bespoke - moving away from it would be a major drama (ie changing to a better PKI that had built-in support for SCEP is further down the track)
Anyway, it doesn't support SCEP and I am trying to see if I can implement it myself. I have got a scep client to create a PKCS#7 container submission, upload it to my "stub" SCEP CGI, and can get interesting details out via openssl asn1parse -in scep-request.pem openssl pkcs7 -in scep-request.pem -print_certs openssl smime -verify -in scep-request.pem -inform pem -CAfile CA-pubkey.pem -noverify My reading of the SCEP RFC tells me that PKCS#7 file actually contains a PKCS#10 encrypted request, but how do I get that out, convert it back into a normal CSR for "openssl ca" to sign, then bundle it appropriately up for delivery back to the SCEP client? Is that even possible with command line tools, or is this exclusively the realm of actual PKI products? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
