<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>The SCEP protocol doesn't support elliptic curve algorithms —
It's RSA-only.</p>
<p>From an enrollment-protocol perspective, you'll need to look at
something like CMP or EST for ECDSA support. Since EST has a
similar scope to SCEP, whereas CMP tries to solve many more
CA-related problems, it's usually the step up from SCEP when you
need ECDSA.<br>
</p>
<p>-Jason Burrell<br>
</p>
<div class="moz-cite-prefix">On 06/13/2018 04:49 AM, Markus P.
Beckhaus wrote :<br>
</div>
<blockquote type="cite"
cite="mid:55E32C76-8A4C-44A4-804F-CBDA5AF84484@contoso.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0cm;
margin-bottom:.0001pt;
font-size:9.0pt;
font-family:Helvetica;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:595.3pt 841.9pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">I
am trying to use ipsec_scepclient against a 2-tiered AD CS
with ECDSA setup but this fails with the following error
message:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">EC
public key encryption not implemented<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">
encrypting symmetric key failed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Obviosly
this tells me exactly, why it isn’t working, but on the
other side we have strongswan running VPN tunnels on the
same box with ECDSA certificates from abovementioned CA, so
basically ECDSA modules are present and loaded.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">So
I am asking myself, if the scepclient does not utilize the
same module architecture as the charon deamon.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">My
question is, if scepclient definitely does not support EC or
if I can tweak my configuration in any way to add EC support
to scepclient.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Best
Regards<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt" lang="EN-US">Markus<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
</body>
</html>