As we don't like self-signed certificates, our verification process does not allow them. However, in context of SCEP, self-signed certificates are allowed in some contexts. We need to add the PKCS7_NOVERIFY flag to our verification routine and provide it as an optional parameter to our function that executes PKCS7_verify. Then, we can run our verification routine and add the optional flag in the cases in which self-signed certificates are okay. In addition, it also should be configurable during the SCEP setup on order to let the user decide whether it accepts self-signed certificates. At last, proper error logging should include warnings if a certificate is self-signed even if the configuration allows it.
As we don't like self-signed certificates, our verification process does not allow them. However, in context of SCEP, self-signed certificates are allowed in some contexts. We need to add the PKCS7_NOVERIFY flag to our verification routine and provide it as an optional parameter to our function that executes PKCS7_verify. Then, we can run our verification routine and add the optional flag in the cases in which self-signed certificates are okay. In addition, it also should be configurable during the SCEP setup on order to let the user decide whether it accepts self-signed certificates. At last, proper error logging should include warnings if a certificate is self-signed even if the configuration allows it.