mbartosch
commented
1 year ago sscep implements a client for the SCEP protocol as defined in RFC 8894. Authentication is described in chapter https://www.rfc-editor.org/rfc/rfc8894.html#name-client-authentication sscep implements the authentication methods described in this chapter, hence it needs the private key for generating a self-signed certificate. In order to reference a private key protected by an HSM provide a proper engine configuration for your private key.
Hello,
It seems sscep requires the private key of the CSR, and uses it for creating the self-signed certificate for signing the payload. This breaks the security around the private key, e.g. when the private key lives on an HSM or in the TPM. In the SCEP protocol there is no use for the private key that is the basis for the CSR, which is also the basis for the security related to private/public key cryptography. Do we know why sscep has implemented it this way?
Thanks,
Bjorn