SCEP - Derive the CA Name from the SCEP Alias value

[Stueypoo]

When using SCEP with CA Mode, as per EJBCA implementation of SCEP, the CA that will be used to service the request is given by :

The CA used is either specified by the message or by the property scep.defaultca if no message is sent.

Another idea is that if the Scep Alias value is the same as the CA Name, then that could be used to select the CA. To achieve this, a small bit of code could be inserted into the GetCaName() menthod within org.ejbca.core.protocol.scep.ScepMessageDispatcherSessionBean as shown below:

     private String getCaName(final String caName, final ScepConfiguration scepConfiguration, final String alias) throws CADoesntExistsException {
        if (scepConfiguration.getUseIntune(alias)) {
            //Always return the scep
            return scepConfiguration.getRADefaultCA(alias);
        }

        // 
        // Check if the 'alias' string indicates which CA to reference
        // We do this by checking if a CA exists with same name as the alias.
        // Note: The CA name and alias must match exactly.
        log.info("Checking if a CA exists with the same name as the SCEP alias: "+alias);
        CAInfo cainfo = caSession.getCAInfoInternal(-1, alias, true);
        if (cainfo != null) {
            return alias;
        }

        if (!StringUtils.isEmpty(caName)) {
            // Use the CA defined by the message if present
            return caName;
        }

[primetomas]

This is a good idea. I'll bounce it of the other developers.

[primetomas]

I have made a PR for the next release with this feature. (internal ticket: https://jira.primekey.se/browse/ECA-12138). Added a section to the documentation (screenshot).

I made a small change, i.e. this is the last option if no message is provided, i.e. after checking caName.

[primetomas]

Would you like to be mentioned on the contributors page? https://www.ejbca.org/contributors/