Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PENDING response from the server #84

Open
ripienaar opened this issue May 14, 2018 · 6 comments
Open

PENDING response from the server #84

ripienaar opened this issue May 14, 2018 · 6 comments
Labels
enhancement server

Comments

@ripienaar
Copy link

I've been trying to figure out if there's a way to make a certificate as PENDING from the server.

I can see the CSR verifier and can see how I could plug my own there - but this fails the request I can't see how to make it pending indicating I might sign it later (or how I would do that sign, though that I can do with openssl CLI no biggie)

Also do you have any plans for a release soon? Some nice additions.
@groob
Copy link
Member

groob commented May 29, 2018

@ripienaar The client actually implements PENDING. I added it there because MS SCEP server server supports manual approval.

scep/cmd/scepclient/scepclient.go

Lines 209 to 212 in 528937a

case scep.PENDING:
lginfo.Log("pkiStatus", "PENDING", "msg", "sleeping for 30 seconds, then trying again.")
time.Sleep(30 * time.Second)
continue

As far as server side, the reason it's not implemented is because the initial purpose of the SCEP server is for macOS enrollments, with device provisioning at the loginwindow. Sending a PENDING response there would break the desired UX for the user.
I wouldn't be opposed to implementing it server side. Can you explain the use-case better? Are you looking for a manual approval workflow? Would defaulting to a Pending state and adding an /approve endpoint on the server work?

@ripienaar
Copy link
Author

ripienaar commented May 30, 2018
edited
Loading

Yeah I saw it in the client and went looking for the server side equivalent feature with no luck

I wish to do mass enrolment of 100s of thousands of nodes. Most nodes I can auto approve based on let’s say a pattern match of cname (any fqdn in our domain). Some though are users and not machines and those I need to hand approve

So I imagine something that I can run like the verifier that returns 0 for APPROVE, 1 for PENDING and 2 for REJECT is easy way and if it’s a nice interface then for my use case I can implement a Go class to do this while using your server code as a library. Perhaps even extend the current verifier in this way?

The /approve end point is also a good idea though obviously would require auth. I think it’s key that there is a hook to programmatically decide if a incoming request is auto approve or not.

@groob
Copy link
Member

groob commented Dec 14, 2018

@ripienaar is this still interesting to you? Sorry the issue has been idle for so long. I'm looking at a batch of things I can pick up to improve over the holidays.

@ripienaar
Copy link
Author

@groob in theory - but I have another solution, so like I have not been holding my breath :P

@ghost
Copy link

ghost commented Jan 11, 2019

@groob if you still plan on having a look at it I'm interested as well with a PENDING response from the server

@abotelho-cbn
Copy link

We would be interested in this too. We're interested in a downstream project, called step-ca. I've put an issue about manual approvals there too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ripienaar @jessepeterson @groob @abotelho-cbn