scep icon indicating copy to clipboard operation
scep copied to clipboard

Published 20 hours ago verified publisher icon micromdm

PENDING response from the server

Open ripienaar opened this issue 6 years ago • 6 comments

I've been trying to figure out if there's a way to make a certificate as PENDING from the server.

I can see the CSR verifier and can see how I could plug my own there - but this fails the request I can't see how to make it pending indicating I might sign it later (or how I would do that sign, though that I can do with openssl CLI no biggie)

Also do you have any plans for a release soon? Some nice additions.

ripienaar avatar May 14 '18 09:05 ripienaar

@ripienaar The client actually implements PENDING. I added it there because MS SCEP server server supports manual approval. https://github.com/micromdm/scep/blob/528937a33139b55852ba3d2b8944dce7b3261404/cmd/scepclient/scepclient.go#L209-L212

As far as server side, the reason it's not implemented is because the initial purpose of the SCEP server is for macOS enrollments, with device provisioning at the loginwindow. Sending a PENDING response there would break the desired UX for the user. I wouldn't be opposed to implementing it server side. Can you explain the use-case better? Are you looking for a manual approval workflow? Would defaulting to a Pending state and adding an /approve endpoint on the server work?

groob avatar May 29 '18 21:05 groob

Yeah I saw it in the client and went looking for the server side equivalent feature with no luck

I wish to do mass enrolment of 100s of thousands of nodes. Most nodes I can auto approve based on let’s say a pattern match of cname (any fqdn in our domain). Some though are users and not machines and those I need to hand approve

So I imagine something that I can run like the verifier that returns 0 for APPROVE, 1 for PENDING and 2 for REJECT is easy way and if it’s a nice interface then for my use case I can implement a Go class to do this while using your server code as a library. Perhaps even extend the current verifier in this way?

The /approve end point is also a good idea though obviously would require auth. I think it’s key that there is a hook to programmatically decide if a incoming request is auto approve or not.

ripienaar avatar May 30 '18 02:05 ripienaar

@ripienaar is this still interesting to you? Sorry the issue has been idle for so long. I'm looking at a batch of things I can pick up to improve over the holidays.

groob avatar Dec 14 '18 16:12 groob

@groob in theory - but I have another solution, so like I have not been holding my breath :P

ripienaar avatar Dec 14 '18 16:12 ripienaar

@groob if you still plan on having a look at it I'm interested as well with a PENDING response from the server

ghost avatar Jan 11 '19 10:01 ghost

We would be interested in this too. We're interested in a downstream project, called step-ca. I've put an issue about manual approvals there too.

abotelho-cbn avatar Nov 09 '22 15:11 abotelho-cbn