I’ve been contemplating recommending folks check-out step-ca if they want a “real” SCEP environment — it just uses micromdm/scep’s library (though that feature is newer). micromdm/scep’s depot is super simplistic and lacks some important features (like revocation, for example).
We should investigate using smallstep. It is Apache licensed and written in Go, meaning we could probably find a way to make it part of the fleet server.
Goal
The current Apple MDM solution uses https://github.com/micromdm/scep for issuing SCEP CA certificates during MDM enrollment. However, it does not seem to be ready for production use. We also had to fork it to add storage in MySQL. From the author https://macadmins.slack.com/archives/C023Z6A2DL0/p1664901582278619
We should investigate using smallstep. It is Apache licensed and written in Go, meaning we could probably find a way to make it part of the fleet server.
How?