Hi!
Sorry for the "delay" - had a lot of work in the last days.
I think I've found the "solution" why the certificate couldn't be
installed. The iOS device seems only to allow one certificate per CA.
When I switched to create a second SCEP rollout for the same device
with another CA everything worked fine
Can somebody confirm this behavior? IMHO it's not intended that a SCEP
CA should only issue one certificate per device.
-- Thomas
On Jun 20, 5:33 pm, <
Gordon.Yo...@wellsfargo.com> wrote:
> According to the SCEP RFC Draft only PKCS#7 and PKCS10 are supported.
>
> I heard of some implementations where there is enrollment “on behalf of” the device where the web application that serves as a proxy between the devices and the CA’s is delivering the PKCS#12 to the deice.
>
> IMO you would not want the private key to leave the device. If your intent is to strongly identify the device as a managed asset, you then do not want the private key to be portable, even if encrypted in PKCS#12 file.
> Having an identity’s private key in escrow somewhere adds more operational overhead as you have to build more stringent controls around the system housing the key archive or point of private key origination on behalf of the device.
>
> My though is, as a best practice you wouldn’t want the private key to leave the device. You want to rely on iPhone OTA configuration profiles to convey the PKCSReq to the SCEP RA, and the signed certificate response back to the device..
>
> ~Gordon
>
> From:
jscep-...@googlegroups.com [mailto:
jscep-...@googlegroups.com] On Behalf Of David Grant
> Sent: Monday, June 20, 2011 8:22 AM
> To:
jscep-...@googlegroups.com
> Subject: Re: SCEP Enrollment for iOS devices
>
> Hi René,
>
> I'm afraid I don't understand your question. Are you attempting to store the enrolled certificate in a PKCS#12 file?
>
> Dave
> On 20 June 2011 16:18, Thomas Engelmann <
r...@gmx.at<mailto:
r...@gmx.at>> wrote:
> Hi Dave,
>
> yes - I know the specs. But what would be the correct way to serve a
> p12, just for testing?
>
> -- René
>
> On Jun 20, 3:57 pm, David Grant <
da...@grant.org.uk<mailto:
da...@grant.org.uk>> wrote:
>
>
>
> > Hi Thomas,
>
> > SCEP describes enrolling a PKCS#10 CSR, and makes no mention of sending a
> > PKCS#12 payload.
>
> > Dave
>
> > On 20 June 2011 14:54, Thomas Engelmann <
r...@gmx.at<mailto:
r...@gmx.at>> wrote:
>
> > > Hi Dave,
>
> > > I think I got an idea where the problem is. Maybe the process needs a
> > > p12 file to be enrolled in none-OTA profiles.
>
> > > Is there a way to do that (enroll a p12 and not a cer)?
>
> > > Thanks,
> > > Thomas
>
> > > On Jun 20, 2:33 pm, David Grant <
da...@grant.org.uk<mailto:
da...@grant.org.uk>> wrote:
> > > > Hi Thomas,
>
> > > > Do you have any further information, e.g. logs that you can share? As it
> > > > stands, there isn't a lot I can offer in terms of support.
>
> > > > Dave
>