Notes on SCEP implementation in Certificate Manager
End-Entity Uniqueness
According to the SCEP specification, there must be only one pair of keys for a given subject name and key usage combination at any one time. Therefore, if an entity needs to enroll a second time, the old certificates must be revoked.
The end entity certificates are defined by their UniqueID, which is defined as:
UniqueID
<fqdn>[,[<ipaddress>][,<serialnumber>]]
Limitations in the Certificate Manager implementation
Certificate Retrieval
The SCEP protocol specification defines a message GetCert
used to download certificates from the CA. This is not supported in the current implementation. End-entities are encouraged to use LDAP for this.
CRL Distribution
The SCEP entities must use the CRL Distribution Point in the certificate to download the CRL. The PKI CRL query message, GetCrl
, is not supported in the Certificate Manager implementation.
Manual Mode
Manual mode, that is, a way for a Certificate Manager administrator to accept or deny a request while the end-entity is waiting, is not supported in the Certificate Manager implementation.