Re: Cisco and automatic renewal (signature with old certificate)

[Alexander Klink <ak-ml2006@xxxxxxxxx>]

Hi Max,

On Thu, May 08, 2008 at 09:31:45AM -0500, max pritikin wrote:
> Yes, this list doesn't get much traffic but we're here.

Good to know :-)

> Regenerate will get the router to automatically generate new keys when  
> it reenrolls. Otherwise it would use its current keys -- in effect  
> just getting a new cert/longer lifetime. It sounds like that is  
> working correctly for you.

Sort of. In the latter case, the same transaction ID is being used,
because the same public key is used. Now the standard says this is
possible, but how do I decide on the CA side whether a given transaction
just wants the certificate that has already been issued returned or
is actually a new transaction for a renewal with the same key?
Looks like the only thing I can do there is some heuristics on when the
certificate expires ...? Doesn't feel good to me.

> Your problem is a self-signed cert being used to sign the PKCS7?

Yes, for the renewal I would assume that the signature is made using
the already existing certificate, which in turn could authenticate
the device and make the CA auto-issue the new certificate (this was
added in later SCEP drafts).

> Are you returning "Renewal" in the GetCACaps SCEP response?

Unfortunately, we didn't implement GetCACaps (yet) - would that change
anything?

Cheers,
  Alex
-- 
Dipl.-Math. Alexander Klink | IT-Security Engineer |    a.klink@xxxxxxxxx
 mobile: +49 (0)178 2121703 |          Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
      HRB 7833, Amtsgericht | USt-Id: DE 213094986 |     Geschäftsführer:
     Bad Homburg v. d. Höhe |                      |      Martin Bartosch