cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Make it easier to include SCEP challenge password in a CSR

Open mmalone opened this issue 4 years ago • 2 comments

The SCEP protocol includes the "challenge password" (for authenticating the SCEP certificate request) in the CSR. Right now it's pretty tricky to generate a CSR that will work with SCEP. You should be able to use step certificate create --csr with a template, but you'd have to specify the challenge password CSR extension by OID (I don't think we have a named template parameter for it).

I uncovered this while tinkering with our SCEP integration. I ended up using OpenSSL to generate the CSR, which was unpleasant. I'm not sure how many people are trying to use step for this use case but, if there's interest, we should consider first-class support (e.g., adding a --scep-challenge-password to step ca certificate and/or step certificate create).

mmalone avatar Nov 17 '21 00:11 mmalone

This is a little unpleasant because you cannot do it with crypto/x509, and you need to implement it manually or use SCEP-specific packages like this one: https://github.com/micromdm/scep/blob/1be7dc2a6df32b7591ff459ba55e6d73d656fdbf/cryptoutil/x509util/x509util.go

maraino avatar Nov 17 '21 03:11 maraino

And that package doesn't support things that the standard one supports, one example is ed25519 keys, but there might be other differences.

maraino avatar Nov 17 '21 03:11 maraino