The following prerequisites apply:

• Protocol Gateway must be installed. See Install Protocol Gateway.
• Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway. 

The elements that were imported during the initial configuration are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes: 

1. Modify Protocol Gateway SCEP Certificate Procedure:
   1. Change Issuing CA to the Device Issuing CA.
   2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
2. For this token procedure, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
   1. SCEP Registration and Enroll Procedure
      This token procedure uses the input view GPIV 8 - Save and Search SCEP Enrollment Registrations encrypted password.

To set the properties for the SCEP protocols: 

1. Open \Nexus\cm-gateway\conf\SCEP.properties for editing.
2. Modify the following properties: 
   1. Enable the SCEP protocol by setting start to true. 

   2. Set default.tokenprocedure to SCEP Registration and Enroll Procedure.

   3. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN.

      For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

3. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
4. Save the file. 

start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>

1. Restart the Tomcat service. 

For information on how to start using Nexus test client, see Set up and use test clients in Protocol Gateway.

To configure the SCEP test client: 

1. Copy the protocol-gateway-ra.cer to \Nexus\testclients\temp.
2. Open the file com.nexussafe.cm.test.app.SCEPClient.properties for editing: 
3. Edit the parameters: 
   1. Set raCert to temp/protocol-gateway-ra.cer.
   2. Set p10.dns to the DNS name of the devices, for example {0}.example.com.  
   3. Set p10.password to the device password, that shall also be used in the registration below.  

To verify the installation using the Nexus SCEP Client: 

1. Generate a SCEP request:

   1.  In the command prompt, start an interactive session, by typing the command: 
      

      Example: Generate SCEP request

      java –jar testtools.jar SCEPClient interactive

   2. Run these commands: 

      1. getcacert - to get the CA cert from the server
      2. genkeypair - to generate a key pair for the client 
      3. create - to create a certificate signing request (CSR) 
      4. send - to send the CSR to Protocol Gateway

   3. The send command will fail, since there is no registered device with that FQDN. Verify in the log file in \Nexus\CM\server\logs\cf: 
      

      Example: log file

      ...
      Request failed: No registration found for fqdn: [1596799669017.example.com] 
      ...

       

To register a wildcard SCEP device: 

1. In Registration Authority (RA) in Certificate Manager, go to the Order tab. 
2. In Procedure, select SCEP Registration and Enroll Procedure.
3. Register the device or a wildcard FQDN, by entering the following details:
   1.  FQDN: *.example.com
      Any device on this wildcard domain can get a certificate. For more information, see Allowed domain names for preregistration in Certificate Manager.
   2. Validity time: the number of days that the registration shall be valid.
   3. Password: the p10 device password that was configured above.
   4. State: Open

Verify that a certificate can now be issued as a result of the CSR,

1. In the same interactive SCEPClient session, run the command send. 

   This time, it should be succesful:

   Example: result of send command

   command: send
   Certificate: 
   Version: V3