Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-4064

SCEP support for Client Certificate Renewal


    • Type: New Feature
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.3.1
    • Component/s: Protocols
    • Labels:


      SCEP draft 23 has a function for automatic certificate renewal by SCEP clients. http://tools.ietf.org/html/draft-nourse-scep-23. The function is described in Appendix D and uses the old client key to sign a request for a new certificate. Currently automatic certificate renewal is supported in the CMP protocol, but not using SCEP.

      The goal of this ticket is to create a new option in the SCEP configuration; both for CA and RA mode is needed.
      Implementation of verifying certReq messages, finding existing end entities to identify renewal messages.
      Verifying renewal messages with end entities old certificate before sending an updated certificate.

      A new configuration option to allow automatic renewal in each SCEP alias is needed. Default should be to no allow automatic renewal.

      Draft Text:

      "Client Certificate Renewal

      An enrollment request that occurs more than halfway through the validity period of an existing certificate for the same subject name and key usage MAY be interpreted as a re-enrollment or renewal request and be accepted. A new certificate with new validity dates can be issued, even though the old one is still valid, if the CA policy permits. The server MAY automatically revoke the old client certificate. Clients MUST use GetCACaps (see Appendix C) to determine if the CA supports renewal. Clients MUST support servers that do not implement renewal, or that reject renewal requests.

      To renew a client certificate, the client uses the PKCSreq message and signs it with the existing client certificate. The client SHOULD use a new keypair when requesting a new certificate. The client MAY request a new certicate using the old keypair."

      Developer's notes:

      • The section "The server MAY automatically revoke the old client certificate" is fulfilled by the Single Active Certificate Constraint implemented in ECA-3581, so can be configured through there.


          Issue Links



              mikek Mike Agrenius Kushner
              mikek Mike Agrenius Kushner
              Verified by:
              Johan Eklund
              0 Vote for this issue
              4 Start watching this issue