search

certnanny / sscep

SSCEP is a command line client for the SCEP protocol
Other
175 stars 92 forks source link

sscep: illegal URL https #142

Closed amelroua closed 2 years ago

amelroua commented 2 years ago

Hello,

I'm using sscep for linux client (ubuntu), I'm trying to enroll over https to NDES (ADCS) but I get this error:

sscep: illegal URL https://FQDN/certsrv/mscep/mscep.dll/pkiclient.exe?

I 'm using an SSL certificate in my NDES but I cannot find the reason of this issue.

mbartosch commented 2 years ago

SCEP is transported over HTTP, not HTTPS

qq8512852 commented 2 years ago

SCEP is transported over HTTP, not HTTPS How to implement SCEP over HTTPS?

mbartosch commented 2 years ago

https://www.rfc-editor.org/rfc/rfc8894.html#name-use-of-http

tedescn commented 2 years ago

I must agree with Martin's observation here, the design of the protocol is deliberate, where security is addressed at a message level, not the transport level. This bootstraps the need for, and secure delivery of your first certificate.

The question becomes more interesting in an HTTP/3 world, but we may be looking at alternative asymmetric key algorithms by then.

qq8512852 commented 2 years ago

https://www.rfc-editor.org/rfc/rfc8894.html#name-use-of-http

Thanks. As we know HTTP is not secure enough. Why don't replace it for HPPTS.

mbartosch commented 2 years ago

Because the SCEP RFC says so and it's stupid.