Docker Containers (ephemeral client) Registration

[pauldavidgilligan]

Hi,

Testing EJBCA from scep clients which are docker containers I realized that we might need to register a user end entity e.g, CN="gw1.fe.msm.internal", CN="gw2.fe.msm.internal", etc. that matches the CSR.

That is a problem with cloud based deployments that might need to:
1. EJBCA installed are running as default.
2. We create a common end entity for ephemeral clients, e.g. user = fe.msm.internal password = foo123
3. When each container or VM is created we generate a CSR with password = foo123.
4. We use sscep (simple one) to enroll with EJBCA user = fe.msm.internal password = foo123, but the containers CN="gw1.fe.msm.internal". EJBCA thus generates CN="gw1.fe.msm.internal" and not CN="fe.msm.internal".
5. The container is destroyed.
6. We create the container again, CN="gw1.fe.msm.internal" and at this point we need certificate renewal.
7... etc

[pauldavidgilligan]

The docker EJBCA cfg is at https://github.com/pauldavidgilligan-msm/docker-centos6-ejbca-mysql/tree/master/etc/services-config/ejbca

[pauldavidgilligan]

had issues with sscep on as said sensitive to DN so I tried jscep which works:

Subject: C=UK, ST=Cheshire, L=Chester, O=Moneysupermarket.com Group PLC, OU=OPS, CN=gw.fe.msm.internal

java -jar ./jscep-cli-jdk6/target/jscepcli-1.0-SNAPSHOT-exe.jar --ca-identifier MSMCA --challenge changeit --csr-file local.csr --dn "CN=gw.fe.msm.internal" --key-file local.key --url http://ejbca.msm.internal:8080/ejbca/publicweb/apply/scep/pkiclient.exe

just have to resolve this user account issue.

[pauldavidgilligan]

Batch won't work as we have to transfer private keys, SCEP is fine we will just have to write a process to sync EJBCA with skydns/etcd