NimbostratusSCEP on Big-IP
I have built a process where a user connects to the Big-IP using the Edge Client in order to request a user certificate. I gather some information from the Edge Client, LDAP and Active Directory and then I make a sideband connection from an iRule in order to execute a local bash script. Among other things, the bash script creates and signs a certificate (snippet below) and then emails the certificate to the user.
Create private key
openssl genrsa \
-rand /var/tmp/$rndfile \
-out /var/tmp/$csr_adname.key.pem 2048
Create CSR
openssl req \
-sha512 \
-new \
-subj "/C=CA/O=$csr_o/OU=$csr_ou/DC=$csr_domain/CN=$csr_udid/emailAddress=$csr_email/pseudonym=$csr_adname_encrypt/SN=$csr_sn/GN=$csr_gn" \
-key /var/tmp/$csr_adname.key.pem \
-out /var/tmp/$csr_adname.csr.pem
Sign
openssl x509 \
-extfile /root/ca/intermediate/openssl.cnf \
-extensions usr_cert \
-sha512 \
-req \
-in /var/tmp/$csr_adname.csr.pem \
-out /root/ca/intermediate/newcerts/${csr_adname}.${csr_udid}.cert.pem \
-CAkey /root/ca/intermediate/private/intermediate.key.pem \
-CA /root/ca/intermediate/certs/intermediate.cert.pem \
-days $days \
-passin file:/shared/xxxx/intermediate.pwd \
-CAcreateserial \
-CAserial /root/ca/intermediate/serial
The Big-IP is an intermediate CA therefore the certificates that I create are not self-signed. Everything is working just fine however I would like to remove the roll of the Big-IP being an intermediate CA and instead talk to our Enterprise CA. I am looking for some guidance as to how to do this…
From what I have read so far, in order to pass the CSR over to our CA I need to use SCEP to talk to our Network Device Enrolment Server which runs on Windoze. Does this make sense? Can this be done with an openssl command or do I need a SCEP utility on the Big-IP? If SCEP is there something builtin or do I need to find an open source SCEP utiltity such as https://github.com/certnanny/sscep ?
Just hoping someone can point me in the right direction - any guidance would be appreciated.
Thanks.
APM 12.1.2