[strongSwan] scepclient and EC pubkey support

Christian Salway christian.salway at naimuri.com
Fri Jun 15 11:10:33 CEST 2018 

Hi Markus,

If it can be scripted to create certs, you can write a script to create a cert and then mass mail.  It depends on where the CSR/KEY are created - on the client or in the script and then encrypted into a P12.

You could do something like this:
---------

openssl req -new -newkey ec:<(openssl ecparam -name secp384r1) -nodes -subj “C=GB/CN=${cn}" -keyout private/${cn}.key -out requests/${cn}.csr

openssl x509 -req -in requests/${cn}.csr -out certs/${cn}.crt -days 395 \
-CAkey private/ca.key -CA ca.crt -CAcreateserial \
-passin pass:”${ca-pswd}" \
-extfile <(cat <<EOF
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
extendedKeyUsage = clientAuth
subjectAltName = DNS:${cn}
EOF
)

openssl pkcs12 -export -certfile ca.crt -in certs/${cn}.crt -inkey private/${cn}.key -out p12/${cn}.p12 -passout pass:${p12-pswd}


Email out

---------

> On 15 Jun 2018, at 10:03, Markus P. Beckhaus <markus at beckhaus.com> wrote:
> 
> Hi Christian,
>  
> interesting tool, but how could it help for an automated mass certificate (self) deployment to x-thousand devices.
>  
> Best Regards
>  
> Markus
>  
> Von: Christian Salway <christian.salway at naimuri.com <mailto:christian.salway at naimuri.com>>
> Datum: Donnerstag, 14. Juni 2018 um 20:07
> An: "Markus P. Beckhaus" <markus at beckhaus.com <mailto:markus at beckhaus.com>>
> Cc: "users at lists.strongswan.org <mailto:users at lists.strongswan.org>" <users at lists.strongswan.org <mailto:users at lists.strongswan.org>>
> Betreff: Re: [strongSwan] scepclient and EC pubkey support
>  
> What about Vault [1]? 
>  
> [1] https://www.vaultproject.io/ <https://www.vaultproject.io/>
>  
> 
> 
> On 14 Jun 2018, at 16:31, Markus P. Beckhaus <markus at beckhaus.com <mailto:markus at beckhaus.com>> wrote:
>  
> Tobias, Jason,
> 
> 
> 
> thanks for your fast reply and precise explanation. Unfortunately, AD CS does not provide CMP or EST and given that SCEP originally only supported RSA I doubt that the AD CS NDES (SCEP) supports ECDSA anyway.
> 
> 
> 
> We will have to look for a different way to mass deploy (and renew) certificates, maybe the AD CS Certificate Enrollment Webservices.
> 
> 
> 
> Best Regards
> 
> 
> 
> Markus 
> 
> 
> 
> 
> 
> Am 13.06.18, 17:03 schrieb "Users im Auftrag von Tobias Brunner" <users-bounces at lists.strongswan.org <mailto:users-bounces at lists.strongswan.org> im Auftrag vontobias at strongswan.org <mailto:tobias at strongswan.org>>:
> 
> 
> 
>    Hi,
> 
> 
> 
> 
> The SCEP protocol doesn't support elliptic curve algorithms — It's RSA-only.
> 
> 
> 
>    Just for reference, SCEP, as defined in the latest version of the draft,
> 
>    doesn't seem have that limitation anymore [1].  (strongSwan's scepclient
> 
>    is, of course, based on version 11 of the old draft, so...)
> 
> 
> 
>    Regards,
> 
>    Tobias
> 
> 
> 
>    [1] https://tools.ietf.org/html/draft-gutmann-scep-10#section-3.1 <https://tools.ietf.org/html/draft-gutmann-scep-10#section-3.1>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180615/d04caf20/attachment.html>

More information about the Users mailing list