<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Markus,<div class=""><br class=""></div><div class="">If it can be scripted to create certs, you can write a script to create a cert and then mass mail. It depends on where the CSR/KEY are created - on the client or in the script and then encrypted into a P12.</div><div class=""><br class=""></div><div class="">You could do something like this:</div><div class="">---------</div><div class=""><br class=""></div><div class=""><div class="">openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -nodes -subj “C=GB/CN=${cn}" -keyout private/${cn}.key -out requests/${cn}.csr</div><div class=""><br class=""></div><div class=""><div class="">openssl x509 -req -in requests/${cn}.csr -out certs/${cn}.crt -days 395 \</div><div class="">-CAkey private/ca.key -CA ca.crt -CAcreateserial \</div><div class="">-passin pass:”${ca-pswd}" \</div><div class="">-extfile <(cat <<EOF</div><div class="">basicConstraints = CA:false</div><div class="">subjectKeyIdentifier = hash</div><div class="">authorityKeyIdentifier = keyid,issuer</div><div class="">extendedKeyUsage = clientAuth</div><div class="">subjectAltName = DNS:${cn}</div><div class="">EOF</div><div class="">)</div></div><div class=""><br class=""></div><div class=""><div class="">openssl pkcs12 -export -certfile ca.crt -in certs/${cn}.crt -inkey private/${cn}.key -out p12/${cn}.p12 -passout pass:${p12-pswd}</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Email out</div><div class=""><br class=""></div><div class="">---------</div><div><br class=""><blockquote type="cite" class=""><div class="">On 15 Jun 2018, at 10:03, Markus P. Beckhaus <<a href="mailto:markus@beckhaus.com" class="">markus@beckhaus.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class="">Hi Christian,<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class="">interesting tool, but how could it help for an automated mass certificate (self) deployment to x-thousand devices.<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class="">Best Regards<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class=""><o:p class=""> </o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class="">Markus<o:p class=""></o:p></span></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><span lang="EN-US" class=""><o:p class=""> </o:p></span></div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0cm 0cm;" class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><b class=""><span style="font-size: 12pt;" class="">Von:<span class="Apple-converted-space"> </span></span></b><span style="font-size: 12pt;" class="">Christian Salway <<a href="mailto:christian.salway@naimuri.com" style="color: purple; text-decoration: underline;" class="">christian.salway@naimuri.com</a>><br class=""><b class="">Datum:<span class="Apple-converted-space"> </span></b>Donnerstag, 14. Juni 2018 um 20:07<br class=""><b class="">An:<span class="Apple-converted-space"> </span></b>"Markus P. Beckhaus" <<a href="mailto:markus@beckhaus.com" style="color: purple; text-decoration: underline;" class="">markus@beckhaus.com</a>><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b>"<a href="mailto:users@lists.strongswan.org" style="color: purple; text-decoration: underline;" class="">users@lists.strongswan.org</a>" <<a href="mailto:users@lists.strongswan.org" style="color: purple; text-decoration: underline;" class="">users@lists.strongswan.org</a>><br class=""><b class="">Betreff:<span class="Apple-converted-space"> </span></b>Re: [strongSwan] scepclient and EC pubkey support<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">What about Vault [1]?<span class="Apple-converted-space"> </span><o:p class=""></o:p></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">[1] <a href="https://www.vaultproject.io/" style="color: purple; text-decoration: underline;" class="">https://www.vaultproject.io/</a><o:p class=""></o:p></div></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">On 14 Jun 2018, at 16:31, Markus P. Beckhaus <<a href="mailto:markus@beckhaus.com" style="color: purple; text-decoration: underline;" class="">markus@beckhaus.com</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">Tobias, Jason,<br class=""><br class=""><br class=""><br class="">thanks for your fast reply and precise explanation. Unfortunately, AD CS does not provide CMP or EST and given that SCEP originally only supported RSA I doubt that the AD CS NDES (SCEP) supports ECDSA anyway.<br class=""><br class=""><br class=""><br class="">We will have to look for a different way to mass deploy (and renew) certificates, maybe the AD CS Certificate Enrollment Webservices.<br class=""><br class=""><br class=""><br class="">Best Regards<br class=""><br class=""><br class=""><br class="">Markus<span class="Apple-converted-space"> </span><br class=""><br class=""><br class=""><br class=""><br class=""><br class="">Am 13.06.18, 17:03 schrieb "Users im Auftrag von Tobias Brunner" <<a href="mailto:users-bounces@lists.strongswan.org" style="color: purple; text-decoration: underline;" class="">users-bounces@lists.strongswan.org</a><span class="Apple-converted-space"> </span>im Auftrag von<a href="mailto:tobias@strongswan.org" style="color: purple; text-decoration: underline;" class="">tobias@strongswan.org</a>>:<br class=""><br class=""><br class=""><br class=""> Hi,<br class=""><br class=""><br class=""><br class=""><br class=""><o:p class=""></o:p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div style="margin: 0cm 0cm 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">The SCEP protocol doesn't support elliptic curve algorithms — It's RSA-only.<o:p class=""></o:p></div></blockquote><p class="MsoNormal" style="margin: 0cm 0cm 12pt; font-size: 11pt; font-family: Calibri, sans-serif;"><br class=""><br class=""><br class=""> Just for reference, SCEP, as defined in the latest version of the draft,<br class=""><br class=""> doesn't seem have that limitation anymore [1]. (strongSwan's scepclient<br class=""><br class=""> is, of course, based on version 11 of the old draft, so...)<br class=""><br class=""><br class=""><br class=""> Regards,<br class=""><br class=""> Tobias<br class=""><br class=""><br class=""><br class=""> [1]<span class="Apple-converted-space"> </span><a href="https://tools.ietf.org/html/draft-gutmann-scep-10#section-3.1" style="color: purple; text-decoration: underline;" class="">https://tools.ietf.org/html/draft-gutmann-scep-10#section-3.1</a></p></div></div></blockquote></div></div></div></div></blockquote></div><br class=""></div></body></html>