Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

SCEP on Big-IP

David_G__33241
Nimbostratus
Nimbostratus

‎06-Feb-2017 13:18 - last edited on ‎03-Jun-2023 22:47 by Fog

I have built a process where a user connects to the Big-IP using the Edge Client in order to request a user certificate. I gather some information from the Edge Client, LDAP and Active Directory and then I make a sideband connection from an iRule in order to execute a local bash script. Among other things, the bash script creates and signs a certificate (snippet below) and then emails the certificate to the user. 

Create private key

openssl genrsa \
        -rand /var/tmp/$rndfile \
        -out /var/tmp/$csr_adname.key.pem 2048

Create CSR

openssl req \
        -sha512 \
        -new \
        -subj "/C=CA/O=$csr_o/OU=$csr_ou/DC=$csr_domain/CN=$csr_udid/emailAddress=$csr_email/pseudonym=$csr_adname_encrypt/SN=$csr_sn/GN=$csr_gn" \
        -key /var/tmp/$csr_adname.key.pem \
        -out /var/tmp/$csr_adname.csr.pem

Sign

openssl x509 \
        -extfile /root/ca/intermediate/openssl.cnf \
        -extensions usr_cert \
        -sha512 \
        -req \
        -in /var/tmp/$csr_adname.csr.pem \
        -out /root/ca/intermediate/newcerts/${csr_adname}.${csr_udid}.cert.pem \
        -CAkey /root/ca/intermediate/private/intermediate.key.pem \
        -CA /root/ca/intermediate/certs/intermediate.cert.pem \
        -days $days \
        -passin file:/shared/xxxx/intermediate.pwd \
        -CAcreateserial \
        -CAserial /root/ca/intermediate/serial

The Big-IP is an intermediate CA therefore the certificates that I create are not self-signed. Everything is working just fine however I would like to remove the roll of the Big-IP being an intermediate CA and instead talk to our Enterprise CA. I am looking for some guidance as to how to do this…

From what I have read so far, in order to pass the CSR over to our CA I need to use SCEP to talk to our Network Device Enrolment Server which runs on Windoze. Does this make sense? Can this be done with an openssl command or do I need a SCEP utility on the Big-IP? If SCEP is there something builtin or do I need to find an open source SCEP utiltity such as https://github.com/certnanny/sscep ?

Just hoping someone can point me in the right direction - any guidance would be appreciated.

Thanks.

APM 12.1.2

Labels:
0 Kudos
0 REPLIES 0
Copyright © 2023 Khoros, LLC