Versions Compared

Old Version 4

changes.mady.by.user Karolin Hemmingsson (Unlicensed)

Saved on

compared with

New Version 5

changes.mady.by.user Josefin Klang (Deactivated)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

This article describes a configuration example of the SCEP protocol in Protocol Gateway, using the provided enrollment templates file.

Simple Certificate Enrollment Protocol (SCEP) is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI.

Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. For use with devices that don't support RA mode, see more information in Use CMP or SCEP protocol in CA mode.

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

Step-by-step instruction

Configure SCEP protocol

Expand
titleConfigure and sign imported SCEP elements

The elements that were imported during the initial configuration are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes: 

  1. Modify Protocol Gateway SCEP Certificate Procedure:
    1. Change Issuing CA to the Device Issuing CA.
    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
  2. For this token procedure, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
    1. SCEP Registration and Enroll Procedure
      This token procedure uses the input view GPIV 8 - Save and Search SCEP Enrollment Registrations encrypted password.


Expand
titleSet SCEP properties

To set the properties for the SCEP protocols: 

  1. Open \Nexus\cm-gateway\conf\SCEP.properties for editing.
  2. Modify the following properties: 
    1. Enable the SCEP protocol by setting start to true

    2. Set default.tokenprocedure to SCEP Registration and Enroll Procedure.

    3. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN.

      Info

      For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.


  3. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
  4. Save the file. 
Code Block
titleExample: SCEP.properties
start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>



Expand
titleRestart Tomcat
  1. Restart the Tomcat service. 

Test SCEP protocol with Nexus test client

Expand
titleConfigure Nexus SCEP test client

For information on how to start using Nexus test client, see Set up and use test clients in Protocol Gateway.

To configure the SCEP test client: 

  1. Copy the protocol-gateway-ra.cer to \Nexus\testclients\temp.
  2. Open the file com.nexussafe.cm.test.app.SCEPClient.properties for editing: 
  3. Edit the parameters: 
    1. Set raCert to temp/protocol-gateway-ra.cer.
    2. Set p10.dns to the DNS name of the devices, for example {0}.example.com.  
    3. Set p10.password to the device password, that shall also be used in the registration below.  


Expand
titleGenerate SCEP request

To verify the installation using the Nexus SCEP Client: 

  1. Generate a SCEP request:

    1.  In the command prompt, start an interactive session, by typing the command: 

      Code Block
      titleExample: Generate SCEP request
      java –jar testtools.jar SCEPClient interactive


    2. Run these commands: 

      1. getcacert - to get the CA cert from the server
      2. genkeypair - to generate a key pair for the client 
      3. create - to create a certificate signing request (CSR) 
      4. send - to send the CSR to Protocol Gateway

    3. The send command will fail, since there is no registered device with that FQDN. Verify in the log file in \Nexus\CM\server\logs\cf

      Code Block
      titleExample: log file
      ...
Request failed: No registration found for fqdn: [1596799669017.example.com] 
...

       


Expand
titleRegister wildcard SCEP device

To register a wildcard SCEP device: 

  1. In Registration Authority (RA) in Certificate Manager, go to the Order tab. 
  2. In Procedure, select SCEP Registration and Enroll Procedure.
  3. Register the device or a wildcard FQDN, by entering the following details:
    1.  FQDN: *.example.com
      Any device on this wildcard domain can get a certificate. For more information, see Allowed domain names for preregistration in Certificate Manager.
    2. Validity time: the number of days that the registration shall be valid.
    3. Password: the p10 device password that was configured above.
    4. State: Open


Expand
titleVerify SCEP send command

Verify that a certificate can now be issued as a result of the CSR,

  1. In the same interactive SCEPClient session, run the command send

    This time, it should be succesful:

    Code Block
    titleExample: result of send command
    command: send
Certificate: 
Version: V3


Related information