Certmgr module will make use of scep application to request and download certificates from CA. Scep will be run as application and not library since the module will be used as is without changes.
HTTP GET message is used in both GetCACert and Enroll messages sent by SCEP.
In case of Enroll request, scep does the following steps:
- Get CSR in PKCS#10 form. (AP or controller CSR)
- Get CA certificate used for encryption.
- Using public key in CA certificate, encrypt the PKCS#10 blob into PKCS#7 envelope.
- Using CSR in the PKCS#10, create a self-signed certificate.
- Using private key of the self-signed certificate in step 4, sign the PKCS#7 envelope generated in step3 and add the certificate to this payload. (Note. Private key used for signing this PKCS#7 blob is part of the CSR that is inside the PKCS#7 blob, the same one using which we generated a self-signed certificate)
- This is then Base64 encoded and URL encoded and sent as payload of HTTP get message to the CA.
2. HTTP Response
- SCEP responses from CA server can be one of “Reject”, “Pending” or “Success”
- In case of success, the request is accepted and the signed certificate is included. The signed custom certificate also comes as PKCS#7 envelope (it is called Degenerate Certificates-Only PKCS#7)
- This PKCS#7 blob is signed by the external CA certificate. Controller will verify this since it has the CA certificate.
- The data may be encrypted using the public key of the Cert request. Controller will decrypt it using corresponding private key and extract the certificate.
Note: SCEP Simple Certificate Enrollment Protocol