Has anyone managed to bolt together a SCEP server with an ACME client, so that a SCEP client (like a router) can get LetsEncrypt certificates?
I have had a look at open-source SCEP implementations, but the ones I found seem to be built around issuing certs from a local CA.
In principle the approach is straightforward though:
SCEP client sends CSR together with a challenge string (this is a standard part of the protocol)
Server has a list of domains together with corresponding challenges or challenge hashes, to validate the request
Server sends the certificate request to LetsEncrypt, and performs the domain validation itself, e.g. using DNS-01
Server returns the minted certificate to SCEP client
It would be pretty neat, as many network devices have SCEP functionality built-in. Using a SCEP client would also be a useful alternative to using ACME, for servers which are on an internal private network (they would not have to be directly involved with DNS-01).
If anyone has done this, I’d be interested in pointers.
I actually contemplated an idea of a VM or docker image that behaves like a subCA (but really is just a CA proxy) that would allow for loading particular domains and credentials and API settings for doing DNS-01 challenges for any label below the proxy’s configured domains.
Then this VM could surface a registration and authentication mechanism that various simple APIs or clients or, say, an SCEP interface, could provide certificates on demand to the various authorized entities. (and add ACL logic for which authenticated users are allowed to request what, in particular, etc.)
Could be kind of neat, and would resolve a lot of issues where an org’s various systems would otherwise need DNS update keys that may not be as granular as the org wants.
To my knowledge, no one is presently working on building such a system, but would be interesting…
micromdm/scep looks like a good starting point. It’s written in Go and last updated Nov 2017. There is already an open issue for external CA plugin. There is a hook for validating the CSR which I believe could ensure each domain has a different challenge password.
openscep last released in 2002 (!) and is in C. Doesn’t have its own github, but there is a mirror
There are various heavyweight CAs (dogtag, OpenXPKI) which have SCEP server support. Definitely overkill. And I don’t want to run any Java.