Question about SCEP integration

[ifindthanh]

Hello guys,

I'm exploring the functionality of SCEP CA in EJBCA with the tool - jscep-cli.
Thing seems fine when using the command to enroll certificate.
But I have one concern in the practical situation and wondering how we should do to handle that. It is:

• Once we send request for certificate enrollment, the SCEP client might use an additional param named challengePassword.
• This challengePassword is sent to EJBCA for end entity authentication.
• The problem is, in EJBCA the end entity is pre-created with a password. So how SCEP client know the exact value of end entity password?
• I'm thinking of there will be a pre-execution process to create a bunch of end entity object to EJBCA (with password, certificate profiles, issuing CA...), and how the password is synchronized in SCEP client side is depends on each customer. Is it correct? Or is there any other approach for this?

Thanks in advance!

[primetomas]

When using SCEP (and most other protocols) there need to be an out-of-bounds process for registering, authenticating, etc devices and people. This is vbecause you don't want to issue certificates blindly to any (untrusted)( device. In the case of SCEP and challengePassword, you are correct. The pre-registered enrollment code need to be configured on the client somehow. How this is done depends on the exact use case. I.e. is there some automated process, is there a person there configuring a device, etc.

You can automate a lot of it using APIs, i.e. add end entities in EJBCA. But it all depends on the overall use case and process.