Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Does step-ca support SCEP manual mode?

According to the SCEP RFC (https://www.rfc-editor.org/rfc/rfc8894), section 2.4 (https://www.rfc-editor.org/rfc/rfc8894#name-enrolment-authorisation) SCEP servers can optionally put SCEP clients in a pending mode:

To perform the authorisation in manual mode, the client's request is placed in the PENDING state until the CA operator authorises or rejects it. Manual authorisation is used when the client has only a self-signed certificate that hasn't been previously authenticated by the CA and/or a challengePassword is not available. The SCEP CA MAY either reject unauthorised requests or mark them for manual authorisation according to CA policy.

Why is this needed?

We're looking at a few options for CA servers, and some of them have implemented this functionality. Notable CA servers that support this are Dogtag PKI and EJBCA Enterprise. It helps in situations where you have some trust, but not perfect trust in the end device's environment, and validation of the requests by a human is required. For example, a remote SysAdmin approving requests from a remote location. As per RFC 8894, a challenge password (as step-ca seems to use at the moment) can be paired with pending/manual mode.

Edit 1

I'm not super familiar with Golang generally, but after doing some digging I can see that SCEP in step-ca uses the scep Go package, which appears to support the PENDING status message. I hope this means it should be possible to add manual mode to step-ca.