[rs-commit] r552 - /rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5
rs-commit at redwax.eu
rs-commit at redwax.eu
Sat Mar 14 15:05:28 CET 2026
Author: minfrin at redwax.eu
Date: Sat Mar 14 15:05:27 2026
New Revision: 552
Log:
Add SCEP renewal support.
Add SSCEP instructions for testing of renewal support.
Modified:
rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5
Modified: rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5
==============================================================================
--- rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5 (original)
+++ rs-interop/trunk/src/site/xhtml5/scep/index.xhtml5 Sat Mar 14 15:05:27 2026
@@ -104,9 +104,17 @@
SCEP certificate issuing process. This certificate is signed by
our CA certificate.
</p>
+ <p>
+ Issued certificates are stored and indexed by an OpenSSL compatible
+ index file, allowing renewals if a previously valid certificate
+ is used to sign the renewal request.
+ </p>
<pre>
<code><![CDATA[<IfModule !ca_module>
LoadModule ca_module /usr/lib64/httpd/modules/mod_ca.so
+</IfModule>
+<IfModule !ca_disk_module>
+ LoadModule ca_disk_module /usr/lib64/httpd/modules/mod_ca_disk.so
</IfModule>
<IfModule !ca_provider_module>
LoadModule ca_provider_module /usr/lib64/httpd/modules/mod_ca_provider.so
@@ -117,6 +125,15 @@
<IfModule !scep_module>
LoadModule scep_module /usr/lib64/httpd/modules/mod_scep.so
</IfModule>
+
+<Location /test>
+
+ CADiskIndexFile /etc/pki/interop/index
+ CADiskCertificateBySerialPath /etc/pki/interop/newcerts
+
+ ScepRenewal on
+
+</Location>
<Location /test/provider>
@@ -346,7 +363,7 @@
</div>
</div>
</section>
- <section class="wrapper style1 align-center" id="routeros">
+ <section class="wrapper style1 align-center" id="certmonger">
<div class="inner">
<h2>SCEP with Certmonger</h2>
<p>
@@ -450,6 +467,53 @@
</div>
</div>
</section>
+ <section class="wrapper style1 align-center" id="sscep">
+ <div class="inner">
+ <h2>SCEP with SSCEP client</h2>
+ <p>
+ The <a href="https://github.com/certnanny/sscep/">SSCEP</a> client
+ allows you to perform low level testing of the Redwax Server. Most
+ SCEP clients will compensate for limitations of the server which
+ can make testing difficult. SSCEP allows you to perform an explicit
+ initial request, followed by an explicit renewal.
+ </p>
+ <div class="index align-left">
+ <section>
+ <header>
+ <h3>Command Line</h3>
+ </header>
+ <div class="content">
+ <p>
+ Request an initial certificate, as
+ follows.
+ </p>
+ <pre>
+<code><![CDATA[[root at linux ~]$ sscep enroll -u http://interop.redwax.eu/test/simple/scep -c /etc/pki/interop/scep-ra.cert -k ~/local.key -r ~/local.csr -l ~/local.pem
+sscep: sending certificate request
+sscep: valid response from server
+sscep: reply transaction id: 8DBE0664A397782AF5B5AEAC492A83BF
+sscep: pkistatus: SUCCESS
+sscep: Subject of our request does not match that of the returned Certificate!
+]]></code>
+ </pre>
+ <p>
+ To renew your certificate, request a renewal signed by the previous certificate
+ and key, as follows.
+ </p>
+ <pre>
+<code><![CDATA[[root at linux ~]$ sscep enroll -u http://interop.redwax.eu/test/provider/scep -c /etc/pki/interop/scep-ra.cert -k ~/new_local.key -r ~/new_local.csr -l ~/new_local.pem -K ~/local.key -O ~/local.pem
+sscep: sending certificate request
+sscep: valid response from server
+sscep: reply transaction id: C2881A7382061221D7BA0D1454A16F49
+sscep: pkistatus: SUCCESS
+sscep: Subject of our request does not match that of the returned Certificate!
+]]></code>
+ </pre>
+ </div>
+ </section>
+ </div>
+ </div>
+ </section>
</div>
</body>
</html>
More information about the rs-commit
mailing list