GetCACert support for optional “message=$CA_Identifier”

[tedescn]

I’ve just started evaluating the libscep client to determine if it works with our existing Managed SCEP Responder (based on Symantec (VeriSign) technology).

Because the SCEP Responder responds for multiple issuing CAs there is a need to support the message name value pair identified within the section 5.2.1 of the SCEP-23 standard.

Currently I’m not seeing the optional message name value pair added as indicated by the debug below.

For completeness I show the command line query, debug output and the expected output.

Command line query:

scep-client getca --verbose --debug --identifier=$RootCA_Identifier --url=$SCEP_RESPONDER --identifier=$RootCA_Identifier --ca-cert=$RootCA_file

Debug Output:

scep-client-util.c:191: Full request URL including query: "${SCEP_RESPONDER}”?operation=GetCACert

Expected output:

scep-client-util.c:191: Full request URL including query: "${SCEP_RESPONDER}”?operation=GetCACert&message=”${RootCA_Identifier}”

[gknocke]

Thanks for testing libscep!
Your concerns look valid and I'll look into it and come back with an answer as soon as I can.

[tedescn]

Gideon,

Thanks for your response.

My aim will be to work through the subset of SCEP messages our SCEP responder supports, feeding back protocol issues and observations as we identify them.

Regards
Nigel

[Javex]

Hi Nigel,

You are correct, our current client does not support this feature. However, it also has extremely limited support for everything else. It is just far from finished. Currently, I do not have the time to complete it but I am to find it in the future.

The functionality you are missing can be added in a small change but I fear you will soon encounter further roadblocks when using scep-cli. My recommendation is that you

a) Implement your own client using libscep. The library is actually fairly mature already and is just lacking documentation
b) Continue development on the current scep-cli client. In this case I will provide all the help I can.
c) Use sscep which should provide the features you need.

Option c) is probably the quickest and easiest solution for you but has a harder integration as it has no library component.

I will leave this open for now as a feature request.