AutoSscep - Simple automatic certificate enroller
Copyright (c) Alberto Forino 2004. All rights reserved
See the file COPYRIGHT for licensing information
=====================================


WHAT IS AUTOSSCEP?
==================

AUTOSSCEP is an automatic x509 certificate enroller based on 
SCEP (Simple Certificate Enrollment Protocol). 
It provides VPN users an easy maintenance of their certificates.
It was developed in S.P.E. laboratories starting from Sscep 
client by Jarkko Turkulainen and it's based on OpenSSL toolkit
library.

WHAT SCEP?
==========
(from internet drafts)
SCEP (Simple Certificate Enrollment Protocol)is  
a PKI communication protocol which leverages existing
technology by using PKCS#7 and PKCS#10.  SCEP is the evolution of the
enrollment protocol developed by Verisign, Inc. for Cisco Systems, Inc.
It now enjoys wide support in both client and CA implementations.

HOW TO COMPILE
==============

The program should be compiled on Unix system with OpenSSL libraries .
In order to compile you have to run the make command in the sources directory

$ make

HOW TO USE
==========

To use Autoscep you need the configuration file. Write it by using 
the HOWTOCONFIGURE manual. After that you can run AutoSscep by 
passing the configuration file as argument.

$ autosscep myconf.conf

Version of autosscep can be displayed with -version option

$ autosscep -version


HOW DOES IT WORK
================
If you specify in the config file one (or more) existent certificate(s) 
Autoscep checks the expiration date and enrolls if it's required.
If you specify a non existent certificate Autoscep requests it at the
 specified CA creating a certification request PKCS#10 based on the 
data specified in the config file.
If the CA returns the certificate enrolled AutoSscep writes it in the 
specified directory and renames the old certificate in [certname].old 
otherwise, if the CA returns a pending message , AutoScep saves the 
transaction ID in the certs directory in [certname].pending.
It will be used to resume the transaction.
(To run AutoSscep succefully you need the read/write permission on the 
certificates, CAs and the keys directories.)
Before starting a new scep transaction AutoSscep checks [certname].pending
 file. If the file exists AutoSscep starts the transaction with the 
identifier saved into the file.
If the CA returns an error status code, AutoSscep displays the error code 
and the error description (by internet drafts) and then AutoSscep exits
 or tries another certificate transaction.
At the end AutoSscep summarizes the situation displaying certificates 
state or errors occurred

REFERENCES
==========
Scep specification:
http://www.ietf.org/internet-drafts/draft-nourse-scep-09.txt

OpenSSL library and program
http://www.openssl.org
http://www.columbia.edu/~ariel/ssleay/

SScep program and source
http://www.klake.org/~jt/sscep/

Understand PKI
http://ospkibook.sourceforge.net/

Internet X.509 PKI Certificate and CRL Profile, RFC 2459
http://www.ietf.org/rfc/rfc2459.txt?number=2459

S.P.E. Sistemi e Progetti Elettronici
http://www.spe.net

TESTING 
=======
Autosscep has been tested successfully with
- OpenCA server
- Win2000 server CA + Microsoft SCEP module 
- VeriSign Onsite 
- SSH Certifier 