diff --git a/authority/authority.go b/authority/authority.go index 4a9123685..e342f871f 100644 --- a/authority/authority.go +++ b/authority/authority.go @@ -707,8 +707,9 @@ func (a *Authority) init() error { case a.requiresSCEP() && a.GetSCEP() == nil: if a.scepOptions == nil { options := &scep.Options{ - Roots: a.rootX509Certs, - Intermediates: a.intermediateX509Certs, + Roots: a.rootX509Certs, + Intermediates: a.intermediateX509Certs, + SkipValidation: a.config.SkipSCEPValidation, } // intermediate certificates can be empty in RA mode diff --git a/authority/config/config.go b/authority/config/config.go index ea7ce35da..9ded399bc 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -65,26 +65,27 @@ var ( // Config represents the CA configuration and it's mapped to a JSON object. type Config struct { - Root multiString `json:"root"` - FederatedRoots []string `json:"federatedRoots"` - IntermediateCert string `json:"crt"` - IntermediateKey string `json:"key"` - Address string `json:"address"` - InsecureAddress string `json:"insecureAddress"` - DNSNames []string `json:"dnsNames"` - KMS *kms.Options `json:"kms,omitempty"` - SSH *SSHConfig `json:"ssh,omitempty"` - Logger json.RawMessage `json:"logger,omitempty"` - DB *db.Config `json:"db,omitempty"` - Monitoring json.RawMessage `json:"monitoring,omitempty"` - AuthorityConfig *AuthConfig `json:"authority,omitempty"` - TLS *TLSOptions `json:"tls,omitempty"` - Password string `json:"password,omitempty"` - Templates *templates.Templates `json:"templates,omitempty"` - CommonName string `json:"commonName,omitempty"` - CRL *CRLConfig `json:"crl,omitempty"` - MetricsAddress string `json:"metricsAddress,omitempty"` - SkipValidation bool `json:"-"` + Root multiString `json:"root"` + FederatedRoots []string `json:"federatedRoots"` + IntermediateCert string `json:"crt"` + IntermediateKey string `json:"key"` + Address string `json:"address"` + InsecureAddress string `json:"insecureAddress"` + DNSNames []string `json:"dnsNames"` + KMS *kms.Options `json:"kms,omitempty"` + SSH *SSHConfig `json:"ssh,omitempty"` + Logger json.RawMessage `json:"logger,omitempty"` + DB *db.Config `json:"db,omitempty"` + Monitoring json.RawMessage `json:"monitoring,omitempty"` + AuthorityConfig *AuthConfig `json:"authority,omitempty"` + TLS *TLSOptions `json:"tls,omitempty"` + Password string `json:"password,omitempty"` + Templates *templates.Templates `json:"templates,omitempty"` + CommonName string `json:"commonName,omitempty"` + CRL *CRLConfig `json:"crl,omitempty"` + MetricsAddress string `json:"metricsAddress,omitempty"` + SkipValidation bool `json:"-"` + SkipSCEPValidation bool `json:"-"` // Keeps record of the filename the Config is read from loadedFromFilepath string diff --git a/scep/options.go b/scep/options.go index d173a76c6..81cf86d97 100644 --- a/scep/options.go +++ b/scep/options.go @@ -26,6 +26,8 @@ type Options struct { // are used to be able to load the provisioners when the SCEP authority is being // validated. SCEPProvisionerNames []string + // SkipValidation is used to skip the validation of the SCEP options. + SkipValidation bool } type comparablePublicKey interface { @@ -35,6 +37,8 @@ type comparablePublicKey interface { // Validate checks the fields in Options. func (o *Options) Validate() error { switch { + case o.SkipValidation: + return nil case len(o.Intermediates) == 0: return errors.New("no intermediate certificate available for SCEP authority") case o.SignerCert == nil: