User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,697 points

Profile Manager, SCEP profile and third-party SCEP server

Has anyone successully used Profile Manager to create a profile to tell a (Mac) client to use EJBCA as a SCEP server?


EJBCA = Enterprise Java Beans Certificate Authority, see http://www.ejbca.org


The problem I have currently hit and been blocked by is that when the Mac runs this profile one of the steps it then does is to use the GetCACaps command. The URL it uses for this looks like


http://server.example.com/ejbca/publicweb/apply/scep/pkiclient.exe?operation=Get CACaps


However EJBCA expects all commands to have both an operation parameter and a message parameter so the format it wants would like like


http://server.example.com/ejbca/publicweb/apply/scep/pkiclient.exe?operation=Get CACaps&message=1


You can also test this against Apple's own built-in SCEP server in Profile Manager as follows.


http://server.example.com:1640/scep?operation=GetCACaps

http://server.example.com:1640/scep?operation=GetCACaps&message=1


Apple's own SCEP server is happy with and without the message parameter but it seems EJBCA requires it even though in this case the actual message is irrelevant.


Note: In this case using a third-party SCEP server is not for enrolment but is to acquire a client certificate for either WiFi 802.1x authentication or a certificate for VPN client authentication.

Posted on Dec 17, 2013 2:27 AM

Reply
1 reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Profile Manager, SCEP profile and third-party SCEP server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up