[rs-commit] r285 - in /rs-interop/trunk/src/site: site.xml xhtml5/index.xhtml5 xhtml5/scep/ xhtml5/scep/index.xhtml5
rs-commit at redwax.eu
rs-commit at redwax.eu
Sun Feb 16 00:57:10 CET 2020
Author: minfrin at redwax.eu
Date: Sun Feb 16 00:57:09 2020
New Revision: 285
Log:
Add interoperability docs for SCEP and RouterOS.
Added:
rs-interop/trunk/src/site/xhtml5/scep/
rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5
Modified:
rs-interop/trunk/src/site/site.xml
rs-interop/trunk/src/site/xhtml5/index.xhtml5
Modified: rs-interop/trunk/src/site/site.xml
==============================================================================
--- rs-interop/trunk/src/site/site.xml (original)
+++ rs-interop/trunk/src/site/site.xml Sun Feb 16 00:57:09 2020
@@ -16,6 +16,7 @@
<menu name="Demo/Interop">
<item name="About" href="https://interop.redwax.eu/rs/"/>
+ <item name="Simple Certificate Enrollment Protocol" href="https://interop.redwax.eu/rs/scep/"/>
<item name="Time Stamp" href="https://interop.redwax.eu/rs/timestamp/"/>
</menu>
Modified: rs-interop/trunk/src/site/xhtml5/index.xhtml5
==============================================================================
--- rs-interop/trunk/src/site/xhtml5/index.xhtml5 (original)
+++ rs-interop/trunk/src/site/xhtml5/index.xhtml5 Sun Feb 16 00:57:09 2020
@@ -25,10 +25,19 @@
<div class="content null">
<h2>Demo/Interop Services</h2>
<dl class="alt">
+ <dt><a href="scep/">Simple Certificate Enrollment Protocol (SCEP) Service</a></dt>
+ <dd>
+ <p>
+ Test against an instance of a Redwax Simple Certificate Enrollment Protocol server based on
+ <a href="https://redwax.eu/rs/docs/latest/mod/mod_scep.html">mod_scep</a>.
+ </p>
+ </dd>
<dt><a href="timestamp/">Time Stamp Service</a></dt>
<dd>
+ <p>
Test against an instance of a Redwax RFC3161 Time Stamp server based on
<a href="https://redwax.eu/rs/docs/latest/mod/mod_timestamp.html">mod_timestamp</a>.
+ </p>
</dd>
</dl>
</div>
Added: rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5
==============================================================================
--- rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5 (added)
+++ rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5 Sun Feb 16 00:57:09 2020
@@ -0,0 +1,214 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
+ <head>
+ <title>Simple Certificate Enrollment Protocol Demo/Interop</title>
+ <meta name="description" content="Interoperate with the Redwax Simple Certificate Enrollment Protocol module."/>
+ <link rel="canonical" href="https://interop.redwax.eu/rs/timestamp/"/>
+ </head>
+ <body>
+ <section class="spotlight style2 orient-right content-align-left image-position-left">
+ <div class="content null">
+ <h2>Simple Certificate Enrollment Protocol Demo/Interop</h2>
+ <p>
+ Interoperate with the <a href="https://redwax.eu/rs/docs/latest/mod/mod_scep.html">Redwax Simple Certificate Enrollment Protocol module</a>.
+ </p>
+ <p>
+ We have implemented a <a href="https://tools.ietf.org/html/draft-gutmann-scep-15">
+ SCEP</a> endpoint that allows you to test your client
+ implementation against a Redwax Server.
+ </p>
+ <p>
+ The code being run is the most up to date build from trunk/master in source
+ control, and is built and deployed automatically. The Redwax Interop server
+ is for testing purposes only.
+ </p>
+ </div>
+ <div class="image">
+ <img src="../images/candles-green.jpg" alt=""/>
+ </div>
+ </section>
+ <div class="none">
+ <section class="wrapper style1 align-center" id="introduction">
+ <div class="inner">
+ <h2>Simple Certificate Enrollment Protocol (SCEP) Demo/Interop Server</h2>
+ <p>
+ When testing your SCEP client implementation, use the following
+ details.
+ </p>
+ <div class="index align-left">
+ <section id="summary">
+ <header>
+ <h3>Summary</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>SCEP Server URL</td>
+ <td>
+ <code>https://interop.redwax.eu<wbr />/test/simple/scep</code> /
+ <code>http://interop.redwax.eu<wbr />/test/simple/scep</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Time Source</td>
+ <td>
+ <code>System Clock</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Serial Numbers</td>
+ <td>
+ <code>Random</code>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
+ <section class="wrapper style1 align-center" id="integration">
+ <div class="inner">
+ <h2>Redwax Module Configuration</h2>
+ <p>
+ The following configuration is used to implement this
+ SCEP server. The configuration below is added to
+ a standard secure virtualhost Apache configuration, as
+ described
+ <a href="https://httpd.apache.org/docs/2.4/vhosts/name-based.html">here</a>.
+ </p>
+ <div class="index align-left">
+ <section>
+ <header>
+ <h3>
+ Configuration
+ </h3>
+ </header>
+ <div class="content">
+ <p>
+ Here we set the SCEP handler, and set the CA certificates and
+ keys to be used for signing.
+ </p>
+ <p>
+ We also set an RA certificate and key that is used during the
+ SCEP certificate issuing process. This certificate is signed by
+ our CA certificate.
+ </p>
+ <pre>
+<code><![CDATA[<IfModule !ca_module>
+ LoadModule ca_module /usr/lib64/httpd/modules/mod_ca.so
+</IfModule>
+<IfModule !ca_simple_module>
+ LoadModule ca_simple_module /usr/lib64/httpd/modules/mod_ca_simple.so
+</IfModule>
+<IfModule !scep_module>
+ LoadModule scep_module /usr/lib64/httpd/modules/mod_scep.so
+</IfModule>
+
+<Location /test/simple>
+
+ CASimpleCertificate /etc/pki/interop/ca-cert.pem
+ CASimpleKey /etc/pki/interop/private/ca-key.pem
+ CASimpleDays 1
+ CASimpleTime on
+ CASimpleAlgorithm RSA rsa_keygen_bits=4096
+ CASimpleSerialRandom on
+
+ CASimpleExtension basicConstraints CA:FALSE
+ CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
+ CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
+ CASimpleExtension subjectKeyIdentifier hash
+ CASimpleExtension authorityKeyIdentifier keyid,issuer
+
+</Location>
+
+<Location /test/simple/scep>
+ Require all granted
+ SetHandler scep
+ ScepRACertificate /etc/pki/interop/scep-ra.cert
+ ScepRAKey /etc/pki/interop/private/scep-ra.key
+ ScepSubjectRequest O
+ ScepSubjectRequest CN
+ ScepSubjectRequest C
+ ScepSubjectAltNameRequest rfc822Name
+</Location>
+]]></code>
+ </pre>
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
+ <section class="wrapper style1 align-center" id="directive-reference">
+ <div class="inner">
+ <h2>SCEP with Mikrotik RouterOS</h2>
+ <p>
+ <a href="https://mikrotik.com">Mikrotik's Routerboard and RouterOS</a>
+ support a SCEP client, and can request certificates from a Redwax
+ Server.
+ </p>
+ <div class="index align-left">
+ <section>
+ <header>
+ <h3>Command Line</h3>
+ </header>
+ <div class="content">
+ <p>
+ Add a certificate template, followed by a SCEP definition, as
+ follows.
+ </p>
+ <pre>
+<code><![CDATA[[admin at router] /> /certificate
+[admin at router] /certificate> add common-name=test-cn name=test-name
+[admin at router] /certificate> add-scep template=test-name
+ scep-url=http://interop.redwax.eu/test/simple/scep
+]]></code>
+ </pre>
+ <p>
+ Confirm that the certificate was requested and issued correctly.
+ </p>
+ <pre>
+<code><![CDATA[[admin at router] /certificate> print detail
+Flags: K - private-key, L - crl, C - smart-card-key, A - authority,
+I - issued, R - revoked, E - expired, T - trusted
+ 0 K T name="test-name"
+ issuer=CN=Redwax Interop Testing Root Certificate Authority 2040,O=Redwax
+ Project
+ digest-algorithm=sha256 key-type=rsa common-name="test-cn" key-size=2048
+ subject-alt-name="" days-valid=2 trusted=yes
+ key-usage=digital-signature,content-commitment,key-encipherment,tls-client
+ scep-url="http://interop.redwax.eu/test/simple/scep"
+ serial-number="80B89D2D99C09CB2"
+ fingerprint="f83f497a11ccaf4e43e7df5838c9687c0b3bf0c0f46959403d4e8e0e8ac54fb5
+ "
+ ca-fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c62
+ 30d"
+ invalid-before=feb/15/2020 00:32:05 invalid-after=feb/17/2020 00:32:05
+ expires-after=23h47m2s challenge-password="" status="idle"
+
+ 1 T name="test-name_CA"
+ issuer=CN=Redwax Interop Testing Root Certificate Authority 2040,O=Redwax
+ Project
+ digest-algorithm=sha1 key-type=rsa organization="Redwax Project"
+ common-name="Redwax Interop Testing Root Certificate Authority 2040"
+ key-size=2048 subject-alt-name="" days-valid=6534 trusted=yes
+ serial-number="6F11B7D855D27D9A14F3B6E9152B60CA8C4BE2AA"
+ fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c6230d
+ "
+ invalid-before=feb/11/2020 17:38:56 invalid-after=jan/01/2038 17:38:56
+ expires-after=932w5d16h53m53s
+]]></code>
+ </pre>
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
+ </div>
+ </body>
+</html>
More information about the rs-commit
mailing list