certificates
certificates copied to clipboard
smallstep
Does step-ca support SCEP manual mode?
Hello!
- Vote on this issue by adding a 👍 reaction
- If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)
Issue details
Does step-ca support SCEP manual mode?
According to the SCEP RFC (https://www.rfc-editor.org/rfc/rfc8894), section 2.4 (https://www.rfc-editor.org/rfc/rfc8894#name-enrolment-authorisation) SCEP servers can optionally put SCEP clients in a pending mode:
To perform the authorisation in manual mode, the client's request is placed in the PENDING state until the CA operator authorises or rejects it. Manual authorisation is used when the client has only a self-signed certificate that hasn't been previously authenticated by the CA and/or a challengePassword is not available. The SCEP CA MAY either reject unauthorised requests or mark them for manual authorisation according to CA policy.
Why is this needed?
We're looking at a few options for CA servers, and some of them have implemented this functionality. Notable CA servers that support this are Dogtag PKI and EJBCA Enterprise. It helps in situations where you have some trust, but not perfect trust in the end device's environment, and validation of the requests by a human is required. For example, a remote SysAdmin approving requests from a remote location. As per RFC 8894, a challenge password (as step-ca seems to use at the moment) can be paired with pending/manual mode.
Edit 1
I'm not super familiar with Golang generally, but after doing some digging I can see that SCEP in step-ca uses the scep Go package, which appears to support the PENDING status message. I hope this means it should be possible to add manual mode to step-ca.
Hi @abotelho-cbn: at the moment our SCEP implementation doesn't support manual approval. We offer a fairly basic SCEP integration at this time, primarily geared towards automated enrollment, as step-ca has targeted the automated use cases more so than manual certificate issuance. We do offer a form of manual approval in our hosted offering, but that's not (yet) fully integrated with our SCEP integration; it can be used with other provisioners, though.
You're right about the library we use; it has support for the PENDING state, so technically it is possible to implement. There's more to it, though, as it would require the certificate requests to be stored intermittently. A mechanism to make an administrator act on the request also needs to be added.
Your explanation on why manual approval with SCEP makes it a more trustworthy enrollment absolutely makes sense to me. Lately we have had some more discussions with people that need SCEP. Most of these discussions are concluded with the fact that we need some extensions/improvements to our current integration. Your feature request seems to fit well with the other things already discussed. Would you be open to talk about what you need and why you need it with one of my colleagues?
One final question: does your use case and/or environment require certificate issuance via SCEP, or would a different method/protocol also be an option to you?
SCEP is a hard requirement in fact. We have equipment that uses the G2S standard (https://www.gamingstandards.com/en/standards/g2s-game-system) which requires SCEP for interoperability reasons.
I'd be open to further discussion!
@abotelho-cbn are you on our Discord by any chance? I would like to send you an invite to set up a meet.