[strongSwan] scepclient and EC pubkey support

Jason Burrell jburrell at forcepoint.com
Wed Jun 13 16:48:02 CEST 2018


The SCEP protocol doesn't support elliptic curve algorithms — It's RSA-only.

 From an enrollment-protocol perspective, you'll need to look at 
something like CMP or EST for ECDSA support. Since EST has a similar 
scope to SCEP, whereas CMP tries to solve many more CA-related problems, 
it's usually the step up from SCEP when you need ECDSA.

-Jason Burrell

On 06/13/2018 04:49 AM, Markus P. Beckhaus wrote :
>
> Hi,
>
> I am trying to use ipsec_scepclient against a 2-tiered AD CS with 
> ECDSA setup but this fails with the following error message:
>
> EC public key encryption not implemented
>
> encrypting symmetric key failed
>
> Obviosly this tells me exactly, why it isn’t working, but on the other 
> side we have strongswan running VPN tunnels on the same box with ECDSA 
> certificates from abovementioned CA, so basically ECDSA modules are 
> present and loaded.
>
> So I am asking myself, if the scepclient does not utilize the same 
> module architecture as the charon deamon.
>
> My question is, if scepclient definitely does not support EC or if I 
> can tweak my configuration in any way to add EC support to scepclient.
>
> Best Regards
>
> Markus
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180613/f878848d/attachment.html>


More information about the Users mailing list