Testing SCEP

From Dogtag
Revision as of 00:35, 14 January 2022 by Edewata (talk | contribs) (Testing with Key Manager)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Overview

CA signing or designated SCEP signing certificates can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.

Router certificate request can be generated using SHA2 algorithms. If yes SSCEP client has to be updated.

Router certificate can be generated using SHA2 algorithms. This is configurable through either caRouterCert profile defaults and constraints for signing algorithms or CA's default signing algorithm defined.

SCEP message (in PKCS7 format) can be generated using SHA2 algorithms:

  • Server side messages are configured within ca.scep section of CS.cfg (ca.scep.hashAlgorithm=SHA512).
  • Client side messages are configured by SSCEP client configuration

Testing with SSCEP

See Testing SCEP Responder with SSCEP.

Testing with Key Manager

See Testing SCEP Responder with Firefox Key Manager.

Test Results

SCEP unit testing was performed using SSCEP and FF Key Manager as SCEP clients:

  Signing certificate SCEP certificate SCEP request SCEP response PKCS10 request
 MD5   SSCEP   SSCEP   SSCEP   SSCEP   SSCEP
 SHA1   SSCEP   SSCEP   SSCEP   SSCEP   SSCEP
 SHA256   Modified SSCEP   Modified SSCEP   Modified SSCEP   Key Manager   Modified Request Generation
 SHA512   Modified SSCEP   Modified SSCEP   Modified SSCEP   Key Manager   Modified Request Generation