Support for SCEP Polling

[adrian-alexander]

Description:

This pull request adds SCEP polling mode which can be configured via ca.json. When enabled, the CA will return a PENDING response which will cause the client to poll the CA server. Fixes #1170 .

Two new databases have been created named x509_csr and x509_certs_csr to save the certificate requests that have been signed.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ adrian-alexander
❌ Adrian Alexander

---

Adrian Alexander seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[hslatman]

Hey @adrian-alexander,

Thank you for this contribution. I'll have a look at it. We'll also discuss it in our next open source triage meeting.

Do you have a specific use case for which you need CertPoll support? Or maybe some specific SCEP client that requires it? So far our certificate signing operations have been synchronous, in-line with the HTTP request, meaning that we always just sent SUCCESS or FAILURE immediately. This works because the signed certificate is either available, or not, because the signing operation doesn't happen asynchronously / in the background.

[adrian-alexander]

Hey @adrian-alexander,

Thank you for this contribution. I'll have a look at it. We'll also discuss it in our next open source triage meeting.

Do you have a specific use case for which you need CertPoll support? Or maybe some specific SCEP client that requires it? So far our certificate signing operations have been synchronous, in-line with the HTTP request, meaning that we always just sent SUCCESS or FAILURE immediately. This works because the signed certificate is either available, or not, because the signing operation doesn't happen asynchronously / in the background.

Hey @hslatman,

My team has been looking for a CA with SCEP polling to replace our in-house CA. Our use case is untrusted networks and deployments. We need an admin to manually approve cert requests from technicians at the sites.

[hslatman]

Sounds like a legit use case 🙂

I haven't looked into the code in detail yet, but from a quick skim I don't see changes to how the auth.SignCSR (or equivalent) method is called, especially in regards to asynchronously signing the certificate. For your use case, there's a need to provide some way to manually approve the CSR that you stored in the table, and then turn it into a certificate, storing that state in the the table too. What do you expect that integration/workflow to work/look like?

Since you referred to #1170, I guess you're aware of the fact that we have support for (manual) approval workflows in our product. Ideally the flow you contributed here would have to be interoperable with that part of our stack. Besides that, it might be an option to provide another method. One way could be to make it work with webhooks.

Are you open to talk more about your use case with a colleague of mine?

[adrian-alexander]

What do you expect that integration/workflow work/look like?

For testing, I used sscep to send the request to the CA. While it was polling, I signed the request with step ca sign, which signs the CSR as well as adds the certificate and the matching CSR to the database. I went with this route so whether the CSR were signed with the basic-client or through the CLI, the certificate and CSR would still get added to the database.

Are you open to talk more about your use case with a colleague of mine?

I'm actually part of the same team as the guy in #1170 . What he discussed in his meeting with you is the same thing as my use case 😃