[strongSwan] scepclient and EC pubkey support

Markus P. Beckhaus markus at beckhaus.com
Thu Jun 14 17:31:13 CEST 2018

Tobias, Jason,

thanks for your fast reply and precise explanation. Unfortunately, AD CS does not provide CMP or EST and given that SCEP originally only supported RSA I doubt that the AD CS NDES (SCEP) supports ECDSA anyway.

We will have to look for a different way to mass deploy (and renew) certificates, maybe the AD CS Certificate Enrollment Webservices.

Best Regards


Am 13.06.18, 17:03 schrieb "Users im Auftrag von Tobias Brunner" <users-bounces at lists.strongswan.org im Auftrag von tobias at strongswan.org>:



    > The SCEP protocol doesn't support elliptic curve algorithms — It's RSA-only.


    Just for reference, SCEP, as defined in the latest version of the draft,

    doesn't seem have that limitation anymore [1].  (strongSwan's scepclient

    is, of course, based on version 11 of the old draft, so...)





    [1] https://tools.ietf.org/html/draft-gutmann-scep-10#section-3.1


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2006 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180614/417060f0/attachment.bin>

More information about the Users mailing list