#120 Enroll EC keys with SCEP
Closed: wontfix 2 months ago by rcritten. Opened a year ago by brunovernay.

Might be more of a Feature Request, but shouldn't it be possible to use an EC key for the certificate (the CSR, the PKCS#10) but specify another RSA key (from another certificate) for the PKCS#7 wrapper??
https://pagure.io/certmonger/blob/master/f/src/scepgen-o.c#_760

The idea would be to have options to do like this https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9/html/administration_guide/enrolling_a_certificate_in_a_cisco_router#issuing-ecc-certificates-with-scep


I suppose it's possible but it is not likely something we would prioritize.

https://www.youtube.com/watch?v=-mTnY0C4muo

Is the project targeting quantum resistant crypto? The roadmap is empty (or managed elsewhere)

In the meantime, Embedded devices, "IoT" could benefit from Active Directory Certificate Service and their "Network Device Enrolment Service NDES" SCEP server implementation.

I'm going to close this in favor of EST. That seems like a longer-term solution that would support multiple CAs.

This isn't a promise to do EST but if ECC certs would be supported via an enrollment protocol then EST would be the way to go.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

2 months ago

I would be curious to know what makes you believe that "EST seems the longer-term solution".
A quick search show that SCEP is still the way to go:
- April 2020 https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
- June 2020 https://oofhours.com/2020/04/05/intune-certificates-something-everyone-should-set-up/
...

EST was designed specifically to address deficiencies found in SCEP and allows EC certs without workarounds.

Doing a workaround for a single CA doesn't seem like the best way to spend energy.

Login to comment on this ticket.

Metadata