I would like to use EJBCA via SCEP for Mac clients configured via Apple's Profile Manager. It is possible to use Profile Manager to define a (third party) SCEP server which can then be used to get client certificates for use with WiFi 802.1x or a VPN client.
On the face of it, this should be a typical and easy thing to do. Unfortunately it seems that during this process the Mac client uses a format of URL that EJBCA is not happy with. The URL would look like
It is not possible to as far as I can see configure Profile Manager and the Mac clients to use the later format. As an aside, Apple's own built-in SCEP server does not require a message parameter and if one is included (again when testing in a web-browser) it ignores it.
Since as far as I can see the message parameter in this case is totally irrelevant to the command, would it be possible for EJBCA to be modified to not require it?
We are currently running EJBCA 4.0.16 under Ubuntu 12.0.4
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I would like to use EJBCA via SCEP for Mac clients configured via Apple's Profile Manager. It is possible to use Profile Manager to define a (third party) SCEP server which can then be used to get client certificates for use with WiFi 802.1x or a VPN client.
On the face of it, this should be a typical and easy thing to do. Unfortunately it seems that during this process the Mac client uses a format of URL that EJBCA is not happy with. The URL would look like
http://server.example.com/ejbca/publicweb/scep/pkiclient.exe?operation=GetCACaps
This is rejected with an error 400 because it does not have a message parameter. The following would in theory work (it does in a web-browser)
http://server.example.com/ejbca/publicweb/scep/pkiclient.exe?operation=GetCACaps&message=1
It is not possible to as far as I can see configure Profile Manager and the Mac clients to use the later format. As an aside, Apple's own built-in SCEP server does not require a message parameter and if one is included (again when testing in a web-browser) it ignores it.
Since as far as I can see the message parameter in this case is totally irrelevant to the command, would it be possible for EJBCA to be modified to not require it?
We are currently running EJBCA 4.0.16 under Ubuntu 12.0.4