This article describes a configuration example of the SCEP protocol with NDES challenge in Protocol Gateway.
The following prerequisites apply:
- Protocol Gateway must be installed. See Install Protocol Gateway.
- Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.
- The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:
- Digital Signature
- Key Encipherment
- TLS Server Authentication
Configure Protocol Gateway SCEP NDES
- Follow the instructions in Create certificate procedure in Certificate Manager.
- Enter the following:
- Procedure name: Protocol Gateway SCEP Certificate with NDES Challenge
- Key usage: no key usage
- Certificate format: scepndesdynamicenroll
- Follow the instructions in Create token procedure in Certificate Manager.
- Enter the following:
- Procedure name: SCEP Registration and Enroll Procedure with NDES Challenge
Storage profile: PKCS10
Issuer certificates: Store all
- Certificate procedures: Protocol Gateway SCEP Certificate with NDES Challenge
- Input view: GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password
- Open scep.properties for editing.
- On Linux, this is found in /var/cm-gateway/conf.
- On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
In scep.properties there are two handlers defined for ndes challenge (number 3) and ndes requests (number 4). Change the information for these handler as needed. See an example file below.
Add '.encrypted' to the
ndesPasswordparameter so it is not stored in cleartext in scep.properties.
- Restart the Tomcat service.
Configure SCEP test tool
- Extract testtools.zip from <client-home>/web/testtools.zip.
- Open the SCEPClient configuration file named com.nexussafe.cm.test.app.SCEPClient.properties from testtools/config/.
Set these parameters, see an example file below:
Parameter Value Comment
The NDES 'ndesRequest' endpoint
This endpoint is http://localhost:8080/pgwy/scep/ndesrequest?operation=PKIOperation&message= and depends on what you have specified in the handler section for ndesrequest in scep.properties. Default is ndesrequest.
The NDES dynamic password can be retrieved using this command
Generate SCEP request
See section "Generate SCEP request" in Example: SCEP configuration in Protocol Gateway.
There is one unique NDES-step (step 2) to add to the steps linked to above:
getcacert- to get the CA/RA cert from the server
getndeschallenge- to get NDES dynamic challenge password from server
create- to create certificate request with new key and subject
send- to send the CSR to Protocol Gateway
verify- to verify the response
The certificate is saved in temp/scep.p12 (default). To change this, use the parameter
p12.keyToken.keyFile in SCEPClient.properties.