Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding support for SCEP renewals #811

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Adding support for SCEP renewals #811

wants to merge 4 commits into from

Conversation

Stueypoo
Copy link
Contributor

Describe your changes

A plug-in to provide SCEP renewal capabilities using client certificate authentication (as per the SCEP RFC (and earlier drafts).

To enable SCEP renewal, the following are required:

  1. The SCEP configuration must allow 'Allow Client Certificate Renewal'
  2. The End-Entity must be associated with an End Entity Profile that enables 'Allow renewal before expiration'. Also, ensure the
    'Days before expiration' is set to an appropriate number (the SCEP RFC suggests 50% of certificate validity).

Upon an incoming SCEP renewal message, this plug-in will perform a validation of the Signer's certificate before allowing the request. This validation must meet all these criteria:

  1. Certificate is provided in the request.
  2. Certificate is not expired or pending.
  3. Certificate was previously issued to the end-entity identified in the request. By inference, this suggests that the certificate
    was issued by a trusted authority as the certificate was found in the EJBCA's database. Please note that the Signer's certificate could have been issued by a different CA to that which will perform the renewal.
  4. Certificate is not revoked.

SCEP renewals using a previously issued key may be permitted by the SCEP configuration with the parameter 'Allow Client Certificate Renewal using old key'. However, be aware that if the CA setting 'Enforce key renewal' is enabled, then this will prevent the certificate being issued.

During SCEP processing (for initial certificate or for renewals), the User's password will be reset to a random value. This will invalidate the Challenge Password previously known to the Client. This is the recommendation in the RFC (and earlier drafts).

How has this been tested?

A SystemTest is included. Run this with "ant test:runweb"

Checklist before requesting a review

  • I have performed a self-review of my code
  • I have kept the patch limited to only change the parts related to the patch
  • This change requires a documentation update

See also Contributing Guidelines.

@Stueypoo
Create ScepRenewalSystemTest.java
9c2afad 
Test cases for SCEP renewals
@Stueypoo
Update build.xml
038146a 
Adding test cases for SCEP renewals into build
@Stueypoo
Create ClientCertificateRenewalExtension.java
2c1ce81 
Adding plug-in for SCEP renewals
@Stueypoo
Update ScepConfigMBean.java
9f58cea 
Allowing SCEP renewal configuration options for all editions.
@MalinRidelius
Copy link
Collaborator

Thanks, Stueypoo! A contribution of this size requires signing our Contributor Assignment Agreement. Please reach out to me Malin Ridelius at [email protected] so we can guide you, or your manager, through the process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Stueypoo @MalinRidelius