[strongSwan] scepclient and EC pubkey support

Markus P. Beckhaus markus at beckhaus.com
Fri Jun 15 11:03:06 CEST 2018

Hi Christian,

interesting tool, but how could it help for an automated mass certificate (self) deployment to x-thousand devices.

Best Regards


Von: Christian Salway <christian.salway at naimuri.com>
Datum: Donnerstag, 14. Juni 2018 um 20:07
An: "Markus P. Beckhaus" <markus at beckhaus.com>
Cc: "users at lists.strongswan.org" <users at lists.strongswan.org>
Betreff: Re: [strongSwan] scepclient and EC pubkey support

What about Vault [1]?

[1] https://www.vaultproject.io/

On 14 Jun 2018, at 16:31, Markus P. Beckhaus <markus at beckhaus.com<mailto:markus at beckhaus.com>> wrote:

Tobias, Jason,

thanks for your fast reply and precise explanation. Unfortunately, AD CS does not provide CMP or EST and given that SCEP originally only supported RSA I doubt that the AD CS NDES (SCEP) supports ECDSA anyway.

We will have to look for a different way to mass deploy (and renew) certificates, maybe the AD CS Certificate Enrollment Webservices.

Best Regards


Am 13.06.18, 17:03 schrieb "Users im Auftrag von Tobias Brunner" <users-bounces at lists.strongswan.org<mailto:users-bounces at lists.strongswan.org> im Auftrag von tobias at strongswan.org<mailto:tobias at strongswan.org>>:


The SCEP protocol doesn't support elliptic curve algorithms — It's RSA-only.

   Just for reference, SCEP, as defined in the latest version of the draft,

   doesn't seem have that limitation anymore [1].  (strongSwan's scepclient

   is, of course, based on version 11 of the old draft, so...)



   [1] https://tools.ietf.org/html/draft-gutmann-scep-10#section-3.1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180615/66dbfccc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2006 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180615/66dbfccc/attachment-0001.bin>

More information about the Users mailing list