Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes a configuration example of the SCEP protocol with NDES challenge in Protocol Gateway.

Expand/Collapse All

Prerequisites

The following prerequisites apply:

  • Protocol Gateway must be installed. See Install Protocol Gateway.
  • Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway. 
  • The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:
    • Digital Signature
    • Key Encipherment
    • TLS Server Authentication

Step-by-step instruction

Configure Protocol Gateway SCEP NDES

  1. Follow the instructions in Create certificate procedure in Certificate Manager.
  2. Enter the following:
    1. Procedure name: Protocol Gateway SCEP Certificate with NDES Challenge
    2. Key usage: no key usage
    3. Certificate format: scepndesdynamicenroll
  1. Follow the instructions in Create token procedure in Certificate Manager.
  2. Enter the following:
    1. Procedure name: SCEP Registration and Enroll Procedure with NDES Challenge
    2. Storage profile: PKCS10

    3. Issuer certificates: Store all

    4. Certificate procedures: Protocol Gateway SCEP Certificate with NDES Challenge
    5. Input view: GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password
  1. Open scep.properties for editing.
    1. On Linux, this is found in /var/cm-gateway/conf.
    2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
  2. In scep.properties there are two handlers defined for ndes challenge (number 3) and ndes requests (number 4). Change the information for these handler as needed. See an example file below.

    Add '.encrypted' to the ndesPassword parameter so it is not stored in cleartext in scep.properties.

    Example: scep.properties
    ...
    # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/
    #
    # Handler for SCEP dynamic challenge endpoint (NDES compliant)
    #
    handler.3.filter = ndeschallenge/
    handler.3.format = scep-ndes
    handler.3.ndesUsername = ndesadmin
    handler.3.ndesPassword = ndespassword
    handler.3.ndesChallengeValidity = PT15M
    
    # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest
    #
    # Handler for SCEP request using dynamic challenge password (NDES compliant)
    #
    handler.4.filter = ndesrequest
    handler.4.format = scep
    handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge
    ...
  3. Restart the Tomcat service. 

Configure SCEP test tool

  1. Extract testtools.zip from <client-home>/web/testtools.zip.
  1. Open the SCEPClient configuration file named com.nexussafe.cm.test.app.SCEPClient.properties from testtools/config/.
  2. Set these parameters, see an example file below:

    ParameterValueComment
    ndesChallengeUrl<url>
    ndesAdminUsername<username>
    ndesAdminPassword<password>
    certRequestUrlThe NDES 'ndesRequest' endpoint

    This endpoint is http://localhost:8080/pgwy/scep/ndesrequest?operation=PKIOperation&message= and depends on what you have specified in the handler section for ndesrequest in scep.properties. Default is ndesrequest.

    Example: SCEPClient.properties
    caCertUrl = http://localhost:8080/pgwy/scep?operation=GetCaCert&message=none
    certRequestUrl = http://localhost:8080/pgwy/ndesrequest?operation=PKIOperation&message=
    ndesChallengeUrl = http://localhost:8080/pgwy/scep/ndeschallenge/
    
    raCert = temp/protocol-gateway-ra.cer
    
    workdir = temp
    
    p12.alias = scep client key
    p12.certFile = temp/scep.cer
    p12.keyLength = 2048
    p12.keyToken.keyFile = temp/scep.p12
    p12.keyToken.password = abcd1234
    p12.keyToken.storeProvider = iD2Store
    p12.keyToken.storeType = PKCS12
    
    scep.cipherAlg = rc2
    
    ; p10.subject = unstructuredname=un-{0} SEG,cn={0} SEG,o=Company
    
    p10.subject = cn={0} SEG,o=Company
    
    p10.dns = {0}.example.com
    
    p10.password = abcd1234
    
    p10.keyusage = digitalSignature, keyEncipherment; critical
    
    ndesAdminUsername = ndesadmin
    ndesAdminPassword = ndespassword
    
    ;------------------ proxy certificate ------------------
    
    useProxyCert = false
    
    proxyCert.keyToken.keyFile = temp/proxy.p12
    proxyCert.keyToken.password = abcd1234
    proxyCert.keyToken.storeProvider = iD2Store
    proxyCert.keyToken.storeType = PKCS12
  3. The NDES dynamic password can be retrieved using this command

    getndeschallenge

Generate SCEP request

See section "Generate SCEP request" in Example: SCEP configuration in Protocol Gateway.

There is one unique NDES-step (step 2) to add to the steps linked to above:

  1. getcacert - to get the CA/RA cert from the server
  2. getndeschallenge - to get NDES dynamic challenge password from server 
  3. create - to create certificate request with new key and subject 
  4. send - to send the CSR to Protocol Gateway
  5. verify - to verify the response

The certificate is saved in temp/scep.p12 (default). To change this, use the parameter p12.keyToken.keyFile in SCEPClient.properties.