gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs(scep): RFC 8894 hardening — README + architecture + connectors

Browse Source 
SCEP RFC 8894 + Intune master bundle — Phase 6 of 14.

Closes Half 1 of the bundle (Phases 0-6). The certctl SCEP server now
ships full RFC 8894 wire format (EnvelopedData decrypt + signerInfo POPO
verify + CertRep PKIMessage builder), tested against ChromeOS-shape
hermetic E2E requests, with multi-profile dispatch and must-staple
per-profile policy. Half 2 (Phases 7-12) adds the Microsoft Intune
dynamic-challenge layer; Phase 6.5 (mTLS sibling route) is independently
shippable as an opt-in enterprise-procurement feature.

README.md
  * Standards & Revocation table SCEP row updated to mention full RFC
    8894 wire format (EnvelopedData decryption, signerInfo POPO
    verification, CertRep PKIMessage builder), PKCSReq + RenewalReq +
    GetCertInitial messageType dispatch, multi-profile dispatch
    (/scep/<pathID>), per-profile RA cert + key, MVP fall-through for
    lightweight clients.
  * Enrollment protocols paragraph extended with the same scope, plus
    a link to docs/legacy-est-scep.md for the operator + device-
    integration guide.

docs/architecture.md
  * SCEP wire format paragraph rewritten to describe the two paths
    (RFC 8894 first, MVP fall-through), the messageType dispatch
    table, the EnvelopedData decrypt (constant-time PKCS#7 unpad
    closing the padding-oracle leg), the SET-OF Attribute
    re-serialisation quirk per RFC 5652 §5.4, and the CertRep
    PKIMessage shape (cert chain encrypted to req.SignerCert, NOT
    the RA cert).
  * SCEP service interface updated to show the three new
    *WithEnvelope variants alongside the legacy PKCSReq method.
  * Added 'Capabilities advertised', 'Multi-profile dispatch', and
    'Must-staple per profile' subsections covering the RFC 7633
    extension policy.

docs/connectors.md
  * EST/SCEP Integration section extended with the per-profile
    issuer-binding env-var form (CERTCTL_SCEP_PROFILE_<NAME>_ISSUER_ID).
  * New SCEP RA cert + key paragraph pointing operators at the
    legacy-est-scep.md openssl recipe + ChromeOS Admin Console
    pointer + must-staple per-profile policy.

cowork/CLAUDE.md::Active Focus
  * 2026-04-29 SCEP RFC 8894 + Intune master bundle status updated
    to 'HALF 1 COMPLETE (Phases 0-5 of 14 SHIPPED)' with the full
    chain of commit SHAs (105c307fdd424ba546a1bb540d44 +
    7b40361b33b843).
  * Unreleased-on-master bullet extended to enumerate the SCEP
    bundle deliverables alongside the CRL/OCSP work, plus the new
    SCEP env vars (CERTCTL_SCEP_RA_*_PATH, CERTCTL_SCEP_PROFILES,
    CERTCTL_SCEP_PROFILE_<NAME>_*).

cowork/CLAUDE.md::Architecture Decisions
  * Added a new bullet for 'SCEP RFC 8894 native implementation
    (post-2026-04-29)' covering the load-bearing design decisions:
    EnvelopedData decrypt with constant-time padding strip, the
    SET-OF re-serialisation quirk, the dispatch-on-messageType
    pattern, multi-profile dispatch, the MVP fall-through contract,
    capability advertisement, ChromeOS-shape E2E test, must-staple
    per-profile.

Smoke test against fresh make docker-up SKIPPED in this commit — the
sandbox doesn't have Docker available. The full smoke recipe is in
the Phase 6.3 prompt; CI runs the full integration suite via the
standard docker-compose.test.yml workflow on the next push.

Verification (sandbox):
  * gofmt + go vet + staticcheck clean for all touched paths.
  * go test -short -count=1 green across api/handler / api/router /
    service / pkcs7 / connector/issuer/local / domain / cmd/server.
  * Coverage held: handler 79.0% / service 73.2% / pkcs7 80.5% /
    config 96.0% / domain 88.6% / router 100%.

Phase 6 of 14 in SCEP RFC 8894 + Intune master bundle.
Half 1 COMPLETE. Half 2 (Phases 7-12, Microsoft Intune dynamic-
challenge layer) ready to begin.
This commit is contained in:
shankar0123
2026-04-29 13:21:50 +00:00
parent b33b843908
commit 23603f5174
3 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2 -2
View File
@@ -107,7 +107,7 @@ gantt
| Protocol | Standard | Use Case |
|----------|----------|----------|
| EST (Enrollment over Secure Transport) | RFC 7030 | Device enrollment, WiFi/802.1X, IoT |
| SCEP (Simple Certificate Enrollment Protocol) | RFC 8894 | MDM platforms (Jamf, Intune), network devices |
| SCEP (Simple Certificate Enrollment Protocol) | RFC 8894 | MDM platforms (Jamf, Intune), network devices, ChromeOS. Full RFC 8894 wire format: EnvelopedData decryption, signerInfo POPO verification, CertRep PKIMessage builder; PKCSReq + RenewalReq + GetCertInitial messageType dispatch; multi-profile dispatch (`/scep/<pathID>`); per-profile RA cert + key. Lightweight raw-CSR clients keep working via the legacy MVP fall-through path. |
| ACME v2 | RFC 8555 | Public CA automated issuance (Let's Encrypt, ZeroSSL) |
| ACME ARI (Renewal Information) | RFC 9773 | CA-directed renewal timing — the CA tells you when to renew |
@@ -173,7 +173,7 @@ Built for **platform engineering and DevOps teams** managing 10500+ certifica
**Policy engine.** Certificate profiles constrain key types, max TTL, and EKUs — with crypto policy enforcement that validates every CSR against profile rules before it reaches the issuer. MaxTTL caps are enforced per issuer connector. Approval workflows pause jobs for human review. Ownership tracking routes notifications to the right team. Agent groups match devices by OS, architecture, IP CIDR, and version.
**Enrollment protocols.** EST server (RFC 7030) for device and WiFi enrollment. SCEP server (RFC 8894) for MDM platforms and network devices. S/MIME issuance with email protection EKU.
**Enrollment protocols.** EST server (RFC 7030) for device and WiFi enrollment. SCEP server (RFC 8894) for MDM platforms and network devices — full wire format (EnvelopedData decrypt + signerInfo POPO verify + CertRep PKIMessage builder), tested against ChromeOS-shape requests; multi-profile dispatch (`/scep/<pathID>`); RenewalReq + GetCertInitial messageType support; lightweight raw-CSR fallback for legacy clients. See [docs/legacy-est-scep.md](docs/legacy-est-scep.md) for the operator + device-integration guide. S/MIME issuance with email protection EKU.
**Revocation.** Single and bulk revocation (by profile, owner, agent, or issuer). RFC 5280 reason codes. Production-grade revocation status surface for relying parties: DER-encoded X.509 CRL per issuer, scheduler-pre-generated and cached so HTTP fetches do not rebuild per request; embedded OCSP responder serving both GET and POST forms (RFC 6960 §A.1.1) with responses signed by a per-issuer dedicated OCSP responder cert (RFC 6960 §2.6, `id-pkix-ocsp-nocheck` per §4.2.2.2.1) — the CA private key is never used directly for OCSP signing. Both endpoints live unauthenticated under `/.well-known/pki/` per RFC 8615. Short-lived certs (TTL < 1 hour) are exempt — expiry is sufficient revocation. See [docs/crl-ocsp.md](docs/crl-ocsp.md) for the relying-party integration guide.