Hi all, I am starting to work at the SCEP integration and I'd like to have some clarifies about the first step when authenticating the CA on the client.
I ave generated a new identity on the client and then issued the command:
crypto ca authenticate caname
we now have two options:
1. Send the simple CA certificate to the client
(for environments where you have no RAs)
2. Send a pkcs#7 signed data with the CA and the RA certificate
(our case)
I have modified the openca-sign command to support adding of more than
one certificate to the pkcs#7 generated structure. Does this structure
have to be signed from the CA or can it be signed from the RA's cert ?
If someone is interested in the process of requesting a CA certificate
from a scep client here it is (just some hints, I have not come across
the whole process):
> ena
...
(config)#configure terminal
(config)#crypto ca identity <caname>
(config)#crypto key generate rsa
(config)#crypto ca enrollment URL
(config)#crypto crl optional
(config)#crypto ca authenticate <caname>
and to delete the caname from the system (and certificates too):
> ena
...
(config)#configure terminal
(config)#default crypto ca identity <caname>
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
smime.p7s
Description: S/MIME Cryptographic Signature
