scep

module

v1.0.0 Latest Latest Go to latest Published: Mar 17, 2017 License: MIT

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/robaato/scep

Links

Open Source Insights

README ¶

scep is a Simple Certificate Enrollment Protocol server and client

Installation

A binary release is available on the releases page.

Compiling

To compile the SCEP client and server, there are a few requirements.

You must have a Go compiler. The compiler is normally in the golang package.
You must have Glide, the Go package manager similar to NPM or pip.
You must have a shell variable set for $GOPATH. This is a directory used by the Go compiler and utilities for all Go projects.

Once all of those are set, clone the repository with go get github.com/micromdm/scep
Install the glide packages
- cd $GOPATH/src/github.com/micromdm/scep/
- glide install
Compile the Server Binary
- cd $GOPATH/src/github.com/micromdm/scep/cmd/scepserver
- go build
Compile the Client Binary
- cd $GOPATH/src/github.com/micromdm/scep/cmd/scepclient
- go build
The binaries will be put in the directories where you ran go build.

Example

minimal example for both server and client

# create a new CA
scepserver ca -init
# start server
scepserver -depot depot -port 2016 -challenge=secret

# in a separate terminal window, run a client
# note, if the client.key doesn't exist, the client will create a new rsa private key. Must be in PEM format.
scepclient -private-key client.key -server-url=http://scep.groob.io:2016 -challenge=secret

Server Usage

The default flags configure and run the scep server.
depot must be the path to a folder with ca.pem and ca.key files.

If you don't already have a CA to use, you can create one using the scep ca subcommand.

Usage of ./cmd/scepserver/scepserver:
  -challenge string
    	enforce a challenge password
  -depot string
    	path to ca folder (default "depot")
  -port string
    	port to listen on (default "8080")
  -version
    	prints version information

scep ca -init to create a new CA and private key.

Usage of ./cmd/scepserver/scepserver ca:
  -country string
    	country for CA cert (default "US")
  -depot string
    	path to ca folder (default "depot")
  -init
    	create a new CA
  -key-password string
    	password to store rsa key
  -keySize int
    	rsa key size (default 4096)
  -organization string
    	organization for CA cert (default "scep-ca")
  -years int
    	default CA years (default 10)

Client Usage

Usage of scepclient:
  -certificate string
    	certificate path, if there is no key, scepclient will create one
  -challenge string
    	enforce a challenge password
  -cn string
    	common name for certificate (default "scepclient")
  -country string
    	country code in certificate (default "US")
  -keySize int
    	rsa key size (default 2048)
  -organization string
    	organization for cert (default "scep-client")
  -private-key string
    	private key path, if there is no key, scepclient will create one
  -server-url string
    	SCEP server url
  -version
    	prints version information

Docker

docker pull micromdm/scep
# create CA
docker run -it --rm -v /path/to/ca/folder:/depot micromdm/scep ./scep ca -init

# run
docker run -it --rm -v /path/to/ca/folder:/depot -p 8080:8080 micromdm/scep

SCEP library

go get github.com/micromdm/scep/scep

For detailed usage, see godoc

Example:

// read a request body containing SCEP message
body, err := ioutil.ReadAll(r.Body)
if err != nil {
    // handle err
}

// parse the SCEP message
msg, err := scep.ParsePKIMessage(body)
if err != nil {
    // handle err
}

// do something with msg
fmt.Println(msg.MessageType)

// extract encrypted pkiEnvelope
err := msg.DecryptPKIEnvelope(CAcert, CAkey)
if err != nil {
    // handle err
}

// use the csr from decrypted PKCRS request
csr := msg.CSRReqMessage.CSR

// create cert template
tmpl := &x509.Certificate{
	SerialNumber: big.NewInt(1),
	Subject:      csr.Subject,
	NotBefore:    time.Now().Add(-600).UTC(),
	NotAfter:     time.Now().AddDate(1, 0, 0).UTC(),
	SubjectKeyId: id,
	ExtKeyUsage: []x509.ExtKeyUsage{
		x509.ExtKeyUsageAny,
		x509.ExtKeyUsageClientAuth,
	},
}

// create a CertRep message from the original
certRep, err := msg.SignCSR(CAcert, CAkey, tmlp)
if err != nil {
    // handle err
}

// send response back
// w is a http.ResponseWriter
w.Write(certRep.Raw)

Server library

You can import the scep endpoint into another Go project. For an example take a look at cmd/scep/main.go

Directories ¶

Path	Synopsis
client
cmd
scepclient
scepserver
depot
bolt
file
scep Package scep provides common functionality for encoding and decoding Simple Certificate Enrolment Protocol pki messages as defined by https://tools.ietf.org/html/draft-gutmann-scep-02	Package scep provides common functionality for encoding and decoding Simple Certificate Enrolment Protocol pki messages as defined by https://tools.ietf.org/html/draft-gutmann-scep-02
internal/pkcs7 Package pkcs7 implements parsing and generation of some PKCS#7 structures.	Package pkcs7 implements parsing and generation of some PKCS#7 structures.
server

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL