Re: Some SCEP CA questions

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 04/27/04 

Date: Tue, 27 Apr 2004 05:31:41 -0700

unfortunately the SCEP protocol is not too flexible and is generic to all
operating systems - hence they created the passphrase option, but I think
your only option is do manual approval if you want to track to a user ID.
you can change the template and this should be documented in the help file.
I believe we only allow MSCEP on a CA. a lot of implementations use a
standalone CA that is seperate from the rest of the hierachy in order to
operarte under different security rules than other CAs. 

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Eric Chamberlain" <eric.chamberlain@newsgroups.nospam> wrote in message
news:Ocd0NYAKEHA.3924@tk2msftngp13.phx.gbl...
> I've installed the SCEP add-on on a test enterprise subordinate CA.  After
> generating some certificates, I'm wondering if it is better for a CA with
> the Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate
> Services to be a standalone root CA?  I don't see a good way to link an
> issued certificate with the user account that requested the enrollment
> challenge password.  All the certificates are processed with the SCEP
> service account.  We need a way to trace an inappropriately used
> certificates back to the userID that requested the certificate.  Are we
just
> stuck with a manual approval process?  Our implementation needs to scale
to
> 60,000 users.
>
> Is it possible to change the template that the mscep.dll uses when issuing
> certificates?
>
> Can mscep.dll be installed on an RA instead of a CA?
>
> Is the source code or sample code available, if we need further
> customizations?
>
>