Document toolboxDocument toolbox

Notes on SCEP implementation in Certificate Manager

End-Entity Uniqueness

According to the SCEP specification, there must be only one pair of keys for a given subject name and key usage combination at any one time. Therefore, if an entity needs to enroll a second time, the old certificates must be revoked.

The end entity certificates are defined by their UniqueID, which is defined as:

UniqueID
<fqdn>[,[<ipaddress>][,<serialnumber>]]

Limitations in the Certificate Manager implementation

Certificate Retrieval

The SCEP protocol specification defines a message GetCert used to download certificates from the CA. This is not supported in the current implementation. End-entities are encouraged to use LDAP for this.

CRL Distribution

The SCEP entities must use the CRL Distribution Point in the certificate to download the CRL. The PKI CRL query message, GetCrl, is not supported in the Certificate Manager implementation.

Manual Mode

Manual mode, that is, a way for a Certificate Manager administrator to accept or deny a request while the end-entity is waiting, is not supported in the Certificate Manager implementation.



Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions