Re: [Ejbca-develop] About SCEP in EJBCA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 09/25/2013 04:22 PM, Bruno Bonfils wrote:
> Hello folks,
>
> I have some questions about SCEP support in EJBCA,
>
> according, modules/externalra-scep/src/org/ejbca/extra/ra/ScepRAServlet.java,
> only the following operations are supported in EJBCA SCEP :
>    - GetCACert, GetCACertChain, GetCACaps, PKIOperation (for certificate signing) are supported
>    - GetCert is NOT supported

Correct. Is not getCert a part of PKIOperation right? PKIOperation 
currently supports PKCSReq and GetCertInitial (they are the same), and 
GetCRL, but not GetCert.

> However, in modules/ejbca-scep-war/src/org/ejbca/ui/web/protocol/ScepServlet.java
> (it's the code of standalone SCEP responder, right?) there is the
> following comments:

It is the code of the internal SCEP responder, available directly 
against the CA.

>
>   * 4. branch to different actions depending on the type of the message:
>   * - PKCSReq
>   * - GetCertInitial
>   * - GetCert
>
> but I can't find code about GetCert and GetCertInitial, are they
> supported?

Correct, it is not supported, see above answer.
>
> And a last question about the Standalone SCEP responser, can I use CA
> identifier to request certificates from differents CA using a single
> SCEP server when createOrEditUser is in true mode?

The Scep RA server will get CA from "reqmsg.IssuerDN", and if that is 
not found (or matching a mapping in scep.properties) the default CA.

>
> Thanks you!
>