Does step-ca support SCEP manual mode? #1170
Comments
abotelho-cbn
added
enhancement
needs triage
|
Hi @abotelho-cbn: at the moment our SCEP implementation doesn't support manual approval. We offer a fairly basic SCEP integration at this time, primarily geared towards automated enrollment, as You're right about the library we use; it has support for the Your explanation on why manual approval with SCEP makes it a more trustworthy enrollment absolutely makes sense to me. Lately we have had some more discussions with people that need SCEP. Most of these discussions are concluded with the fact that we need some extensions/improvements to our current integration. Your feature request seems to fit well with the other things already discussed. Would you be open to talk about what you need and why you need it with one of my colleagues? One final question: does your use case and/or environment require certificate issuance via SCEP, or would a different method/protocol also be an option to you? |
|
SCEP is a hard requirement in fact. We have equipment that uses the G2S standard (https://www.gamingstandards.com/en/standards/g2s-game-system) which requires SCEP for interoperability reasons. I'd be open to further discussion! |
|
@abotelho-cbn are you on our Discord by any chance? I would like to send you an invite to set up a meet. |
|
Just joined! abotelhocbn#6332 |
Hello!
Issue details
Does step-ca support SCEP manual mode?
According to the SCEP RFC (https://www.rfc-editor.org/rfc/rfc8894), section 2.4 (https://www.rfc-editor.org/rfc/rfc8894#name-enrolment-authorisation) SCEP servers can optionally put SCEP clients in a pending mode:
To perform the authorisation in manual mode, the client's request is placed in the PENDING state until the CA operator authorises or rejects it. Manual authorisation is used when the client has only a self-signed certificate that hasn't been previously authenticated by the CA and/or a challengePassword is not available. The SCEP CA MAY either reject unauthorised requests or mark them for manual authorisation according to CA policy.
Why is this needed?
We're looking at a few options for CA servers, and some of them have implemented this functionality. Notable CA servers that support this are Dogtag PKI and EJBCA Enterprise. It helps in situations where you have some trust, but not perfect trust in the end device's environment, and validation of the requests by a human is required. For example, a remote SysAdmin approving requests from a remote location. As per RFC 8894, a challenge password (as step-ca seems to use at the moment) can be paired with pending/manual mode.
Edit 1
I'm not super familiar with Golang generally, but after doing some digging I can see that SCEP in step-ca uses the scep Go package, which appears to support the PENDING status message. I hope this means it should be possible to add manual mode to step-ca.
The text was updated successfully, but these errors were encountered: