User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,697 points

Profile Manager and external SCEP/PKI/OCSP server

A Mac running Profile Manager also acts as its own SCEP server for enrolling client devices in to Profile Manager. This works fine. SCEP is for allowing client devices to automatically get client certificates and Profile Manager uses this when enrolling client devices. (SCEP was invented by Cisco.)


Via Profile Manager it is however also possible to push a profile containing settings telling a client about an external non-Profile Manager SCEP server. This might then be used to tell a client device to get a certificate for connecting to an 802.1x secured WiFi network, or a VPN system which uses certificates rather than a pre-shared-key.


While in theory Apple's own SCEP server could be used for these additional purposes in reality this does not seem possible. It seems the most common scenario involves quelle surprise using Microsoft servers. If you bind to active-directory then you already get a client certificate and you can also use Microsoft's NDES (Network Device Enrollment Service). I am however looking for an alternative to Microsoft.


Since Apple's own SCEP server seems unsuitable (and has other limitations) and Microsoft is not wanted, what other systems have people used successfully with Profile Manager and particularly Mac clients. I have tried EJBCA (Enterprise Java Beans CA) and unfortunately there seems currently to be an issue using that. EJBCA currently insists all command also have a message parameter even if the command does not require it. If you use Profile Manager to tell a Mac to use EJBCA then the Mac tries a command without a message parameter and hence is rejected by EJBCA.


See http://sourceforge.net/p/ejbca/discussion/123123/thread/cabaf26d/ and https://discussions.apple.com/thread/5674409


For the same reason (cost) as Microsoft, I would also want to avoid Cisco. Any other suggestions?


The requirements are :-


Ability to issue via SCEP correctly configured client certificates for 802.1x and VPN authentication

Ability to revoke via OCSP and CRL those certificates

Ability to run either under OS X or Linux


PS. Its a shame Apple's own software cannot handle this. Especially as OS X and Server.app do include all the necessary components (SCEP, OCSP, CRL, a database, a webserver).

Posted on Dec 31, 2013 8:19 AM

Reply
2 replies
User profile for user: John Lockwood
John Lockwood Author
User level: Level 6
13,697 points

Dec 31, 2013 12:06 PM in response to MrHoffman

MrHoffman wrote:


FWIW, working with a private root certificate authority locally, and have been intending to prototype with OpenCA as part of that. (That may end up being on a Linux box, however.)


Getting better SCEP support rolled into OS X Server is certainly reasonable. Might want to log an enhancement request via BugReporter, if you have access to that.

Great minds think alike 🙂


I have been looking at OpenCA today and what appears to be its successor OpenXPKI.


See http://www.openxpki.org/ and

https://github.com/openxpki/openxpki


OpenXPKI on paper seems to have all the needed functionality (like EJBCA) but as yet I can't tell if it has a web-management interface like EJBCA. I can see there is supposed to be a port for OS X although I might still use the Linux version instead.


If you make progress with OpenCA or I would suggest instead OpenXPKI please let me know.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Profile Manager and external SCEP/PKI/OCSP server

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up