Add Explicit inital & rekey for SCEP/EST Provider Support with Challenge Password #291
Description
The current certificate system role is powerful for ipa and self-sign providers, but it lacks an explicit, high-level mechanism for requesting certificates using SCEP and EST when a Challenge Password or shared secret is required during enrollment.
Many external and third-party CAs (like those utilizing NDES for Microsoft CA) depend on this challenge mechanism. As a result, users are forced to bypass the system role abstraction and write complex, non-idempotent Ansible command/shell tasks directly against certmonger. This defeats the purpose of the consistent rhel-system-roles interface.
- New ca Provider Options: Support for setting ca: scep and/or ca: est to correctly configure the enrollment protocol.
- A new optional parameter, such as challenge_password, to securely pass the shared secret required by the CA during enrollment. This parameter should strongly encourage and support the use of Ansible Vault for security.
- Rekey/Renewal Functionality: The renewal process must ensure that the SCEP/EST protocol and challenge mechanism are correctly handled for automatic rekeying operations, if required by the CA.