Document toolboxDocument toolbox

Nexus Documentation
CURL vulnerability information (CVE-2023-38545) - Nexus awareness advisory on Microsoft's update KB5014754

Example: SCEP NDES configuration in Protocol Gateway

Owned by Ann Base (Deactivated)
Last updated: Jun 19, 2024 by Josefin Klang (Deactivated)Version comment
2 min read

This article describes a configuration example of the SCEP protocol with NDES challenge in Protocol Gateway.

Prerequisites

The following prerequisites apply:

  • Protocol Gateway must be installed. See Install Protocol Gateway.

  • Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway. 

  • The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:

    • Digital Signature

    • Key Encipherment

    • TLS Server Authentication

Configure Protocol Gateway SCEP NDES

Create certificate procedure

  1. Follow the instructions in Create certificate procedure in Certificate Manager.

  2. Enter the following:

    1. Procedure name: Protocol Gateway SCEP Certificate with NDES Challenge

    2. Key usage: no key usage

    3. Certificate format: scepndesdynamicenroll

Create token procedure

  1. Follow the instructions in Create token procedure in Certificate Manager.

  2. Enter the following:

    1. Procedure name: SCEP Registration and Enroll Procedure with NDES Challenge

    2. Storage profile: PKCS10

    3. Issuer certificates: Store all

    4. Certificate procedures: Protocol Gateway SCEP Certificate with NDES Challenge

    5. Input view: GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password

Configure scep.properties

  1. Open scep.properties for editing.

    1. On Linux, this is found in /var/cm-gateway/conf.

    2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.

  2. In scep.properties there are two handlers defined for ndes challenge (number 3) and ndes requests (number 4). Change the information for these handler as needed. See an example file below. 
    Add '.encrypted' to the ndesPassword parameter so it is not stored in cleartext in scep.properties.

    Example: scep.properties

    ... # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/ # # Handler for SCEP dynamic challenge endpoint (NDES compliant) # handler.3.filter = ndeschallenge/ handler.3.format = scep-ndes handler.3.ndesUsername = ndesadmin handler.3.ndesPassword = ndespassword handler.3.ndesChallengeValidity = PT15M # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest # # Handler for SCEP request using dynamic challenge password (NDES compliant) # handler.4.filter = ndesrequest handler.4.format = scep handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge ...

  3. Restart the Tomcat service. 

Configure SCEP test tool

Extract the SCEP test tool

Extract testtools.zip from <client-home>/web/testtools.zip.

Set SCEP test tool parameters

  1. Open the SCEPClient configuration file named com.nexussafe.cm.test.app.SCEPClient.properties from testtools/config/.

  2. Set the parameters as described in the table below.

  3. The NDES dynamic password can be retrieved using this command:

getndeschallenge

Parameter

Value

Comment

Parameter

Value

Comment

ndesChallengeUrl

<url>



ndesAdminUsername

<username>



ndesAdminPassword

<password>



certRequestUrl

The NDES 'ndesRequest' endpoint

This endpoint is http://localhost:8080/pgwy/scep/ndesrequest?operation=PKIOperation&message= and depends on what you have specified in the handler section for ndesrequest in scep.properties. Default is ndesrequest.

Example

Example: SCEPClient.properties
caCertUrl = http://localhost:8080/pgwy/scep?operation=GetCaCert&message=none certRequestUrl = http://localhost:8080/pgwy/ndesrequest?operation=PKIOperation&message= ndesChallengeUrl = http://localhost:8080/pgwy/scep/ndeschallenge/ raCert = temp/protocol-gateway-ra.cer workdir = temp p12.alias = scep client key p12.certFile = temp/scep.cer p12.keyLength = 2048 p12.keyToken.keyFile = temp/scep.p12 p12.keyToken.password = abcd1234 p12.keyToken.storeProvider = iD2Store p12.keyToken.storeType = PKCS12 scep.cipherAlg = rc2 ; p10.subject = unstructuredname=un-{0} SEG,cn={0} SEG,o=Company p10.subject = cn={0} SEG,o=Company p10.dns = {0}.example.com p10.password = abcd1234 p10.keyusage = digitalSignature, keyEncipherment; critical ndesAdminUsername = ndesadmin ndesAdminPassword = ndespassword ;------------------ proxy certificate ------------------ useProxyCert = false proxyCert.keyToken.keyFile = temp/proxy.p12 proxyCert.keyToken.password = abcd1234 proxyCert.keyToken.storeProvider = iD2Store proxyCert.keyToken.storeType = PKCS12

Generate SCEP request

See the section "Generate SCEP request" in Example: SCEP configuration in Protocol Gateway.

There is one unique NDES-step (step 2) to add to the steps linked to above:

  1. getcacert - to get the CA/RA cert from the server

  2. getndeschallenge - to get NDES dynamic challenge password from server 

  3. create - to create certificate request with new key and subject 

  4. send - to send the CSR to Protocol Gateway

  5. verify - to verify the response

The certificate is saved in temp/scep.p12 (default). To change this, use the parameter p12.keyToken.keyFile in SCEPClient.properties.

Additional information





Copyright 2024 Technology Nexus Secured Business Solutions AB. All rights reserved.
Contact Nexus | https://www.nexusgroup.com | Disclaimer | Terms & Conditions