Here is a preliminary list of SCEP desired enhancements and fixes grouped in categories:

• SCEP protocol enhancements:
  • Phase 1
    1. Ticket #621 - closed - Add SCEP support for Certificate Access
    2. Ticket #622 - closed - Add SCEP support for CRL Access
  • Phase 2:
    1. Ticket #623 - 10.2 - Add SCEP support for Client Certificate Renewal
  • Phase 3:
    1. Ticket #625 - FUTURE - Add SCEP support for GetNextCACert
    2. Ticket #626 - FUTURE - Add SCEP support for CA Key Rollover
  • Phase 4:
    1. Ticket #627 - FUTURE - Add SCEP support for GetCACaps
• Possible encoding or algorithmic enhancements:
  1. Ticket #442 - 10.1.08 - CA throws exception while processing SCEP PKCSReq message when cert DB is in FIPS mode
  2. Ticket #443 - 10.1.08 - SCEP: Invalid OID in CertRep signerInfo when using SHA-2
  3. Ticket #615 - 10.1.06 - SCEP PKIOperation InvalidBERException
• Functionality enhancements:
  1. Ticket #634 - 10.2 - Add pretty print for SCEP requests and responses
  2. Ticket #444 - 10.1.08 - Utilize database rather than plaintext flat files when utilizing SCEP one-time PIN

Here is a preliminary list of CRL desired enhancements and fixes grouped in categories:

• CRL RFC enhancements:
  1. Ticket #636 - FUTURE - Add support for indirect CRLs and Certificate Issuer extension
• CRL scalability and performance:
  1. Ticket #633 - 10.2 - CRL issuing point needs scalability review
  2. Ticket #632 - 10.2 - CRL publishing needs performance review
  3. Ticket #635 - 10.2 - Split crlIssuingPointRecord in sub-records to improve scalability and performance
  4. Ticket #628 - 10.2 - OCSP should support delta CRLs
• CRL issues:
  1. Ticket #574 - 10.1.08 - CRL scheduler may go into the infinite loop
  2. Ticket #573 - 10.1.08 - Higher values of "next update grace period" are adding an extra hour to CRL's NextUpdate
  3. Ticket #572 - 10.1.08 - CRL scheduler adds extra CRL generation at midnight for daily schedules
  4. Ticket #489 - 10.1.08 - CRL updates only after server restart
  5. Ticket #490 - 10.1.08 - Adding CRL Issuing point with empty name
• Functionality enhancements:
  1. Ticket #637 - 10.2 - Automatic management of CRL generation in clones
  2. Ticket #346 - 10.1.08 - Configuration wizard needs to properly configure default CRL issuing point when configuring cloned CA

Here is a preliminary list of CRMF desired enhancements and fixes:

• Ticket #638 - 10.1.08 - DRM: key archival request from CRMFPopTool causes nullPointerException when viewing requests
• Ticket #639 - 10.1.08 - Config wizard: adminpanel fails at nsIDOMCrypto.generateCRMFRequest when CS instance name (hence the DN) is long
• Ticket #640 - 10.2 - CMC not able to handle multiple CSRs in one CMC enrollment request
• Ticket #655 - FUTURE- Investigate option of using CMC with IE
• Ticket #659 - FUTURE- Support sMIMECapabilities extensions in certificates (RFC 4262)

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1098

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.