Proxy Implementation #219
Comments
|
Heya! It sounds like you're implementing an "RA" (registration authority) — sort of an intermediary SCEP request. This is super common in MDM implementations, I think. Regarding point 1: I think that's right — you shouldn't change a CSR (including the challenge) because it is signed by the client's key. One way to add an additional layer of security is perhaps a time-limited token in the URL preceding the SCEP url. Instead of The All of that said I'd recommend checking out https://smallstep.com/docs/step-ca/ for your SCEP needs instead of relying on this project's server code. Thanks! |
|
Hey! Thanks for the feedback. Yes, I know about smallstep. Actually, what I'm trying to do, is to build a proxy to sit in front of it, so that I don't have to expose the CA and to be able to implement some additional logic for CSR verification with the MDM. Thanks for your help! |
Hi
I started working on an SCEP to SCEP proxy implementation.
I actually just put together existing bits from the scepclient into a proxy_signer.
I don't feel confident in submitting a PR right now, since it's my very first time working with go, but I forked your repo and worked on it here.
The proxy is working as expected, but I feel that a look from a more experienced go dev might be worth.
There are a couple of things that I wasn't able to do:
Using a separate challenge for the proxy
That (I believe) is due to having the
ChallengePasswordwritten into the CSR which must be signed by the client with its own key.I don't think there's any workaround to this, but I'd be happy to find out that there is.
Passing over the PKIMessage.MessageType
That would require changing the whole
scepserverimplementation by adding some kind of hook around here.The CSRSigner of course only gets the CSRReqMessage, as it is meant to handle the Signing of the certificate and not other stuff.
The text was updated successfully, but these errors were encountered: