Re: [OpenCA-Devel] SCEP news

[Michael B. <mic...@rz...>]

Ives Steglich wrote:
> Hi there,
> 
> i have got the code basicaly working so far:
> - with an Cisco VPN 3000 client you can request an
>   certificate (start enrollment process)
> - will get a pending answer
> 
> at the moment still manually:
>  - insert the extracted pkcs10 request into the pki-system
>    through webinterinterface
>  - go through
>  - manually generate the answer (means set some parameters)
> 
> - client can fetch it
> 
> ==> todo: 
> 
> - automatically insert the extracted pkcs10 req
>   into the pki-structure (for example an ra, so an operator
>   can handle it, as usal)

Here I can help a little bit because this sounds like a "normal" OpenCA 
problem. Here is a small example (without errorchecking from 
cmds/pkcs10_req):

         my ( $tmp, $req );

         $tmp = "-----BEGIN HEADER-----\n";
         $tmp .= "TYPE = PKCS#10\n";
         my $req_elements = libDBGetLastItem 
("REQUEST")->getSerial("REQUEST");
         $req_elements >>= getRequired ("ModuleShift");
         if ((not defined $req_elements) or ($req_elements < 0)) {
                 return error to SCEP client;
         } else {
                 $req_elements++;
         }
         my $new_serial = ($req_elements << getRequired ("ModuleShift")) 
| getRequired ("ModuleID");
         $tmp .= "SERIAL = $new_serial\n";
         $tmp .= "NOTBEFORE = " . $tools->getDate() . "\n";
         $tmp .= "-----END HEADER-----\n";
         $tmp .= $scep_pkcs10_request_in_pem_format;

         if( not $req = new OpenCA::REQ( SHELL=>$cryptoShell, 
DATA=>$tmp) ) {
                 return error to SCEP client;
         }

         if( not $db->storeItem( DATATYPE=>"PENDING_REQUEST",
                                 OBJECT=>$req,
                                 INFORM=>"PEM", MODE=>"INSERT" )) {
                 return error to SCEP client;
         };

> - automaticaly generate the reply message for the right pending
>   request... 

Here I need some additional infos to understand what's the problem.

> - handle cisco-network-equipment correct (pix and co)
>   not working right now... especally the openssl-config for those
>   request... 

Do you mean the configuration of the extensions?

> ps: Michael: what about massimiliano - he is quite silent recently ;o)

I know but I don't know why.

Greeting Michael
-- 
-------------------------------------------------------------------
Michael Bell                   Email: mic...@cm...
ZE Computer- und Medienservice            Tel.: +49 (0)30-2093 2482
(Computing Centre)                        Fax:  +49 (0)30-2093 2704
Humboldt-University of Berlin
Unter den Linden 6
10099 Berlin                   Email (private): mic...@we...
Germany                                       http://www.openca.org