Nexus Certificate Manager
Nexus Certificate Manager
Breadcrumbs

Example: SCEP NDES configuration in Protocol Gateway

This article describes a configuration example of the SCEP protocol with NDES challenge in  Protocol Gateway .

Prerequisites

The following prerequisites apply:

  • Protocol Gateway must be installed. See Install Protocol Gateway .

  • Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway . 

  • The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:

    • Digital Signature

    • Key Encipherment

    • TLS Server Authentication

Configure Protocol Gateway SCEP NDES

Create certificate procedure

  1. Follow the instructions in  Create certificate procedure in Certificate Manager .

  2. Enter the following:

    1. Procedure name: Protocol Gateway SCEP Certificate with NDES Challenge

    2. Key usage: no key usage

    3. Certificate format: scepndesdynamicenroll

Create token procedure

  1. Follow the instructions in  Create token procedure in Certificate Manager .

  2. Enter the following:

    1. Procedure name: SCEP Registration and Enroll Procedure with NDES Challenge

    2. Storage profile: PKCS10

    3. Issuer certificates: Store all

    4. Certificate procedures: Protocol Gateway SCEP Certificate with NDES Challenge

    5. Input view: GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password

Configure scep.properties

  1. Open scep.properties for editing.

    1. On Linux, this is found in /var/cm-gateway/conf.

    2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.

  2. In scep.properties there are two handlers defined for ndes challenge (number 3) and ndes requests (number 4). Change the information for these handler as needed. See an example file below. 
    Add '.encrypted' to the ndesPassword parameter so it is not stored in cleartext in scep.properties.

    Example: scep.properties

    ...
# http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/
#
# Handler for SCEP dynamic challenge endpoint (NDES compliant)
#
handler.3.filter = ndeschallenge/
handler.3.format = scep-ndes
handler.3.ndesUsername = ndesadmin
handler.3.ndesPassword = ndespassword
handler.3.ndesChallengeValidity = PT15M

# http://<pgwy-host>:<port>/pgwy/scep/ndesrequest
#
# Handler for SCEP request using dynamic challenge password (NDES compliant)
#
handler.4.filter = ndesrequest
handler.4.format = scep
handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge
...

  3. Restart the Tomcat service. 

Configure SCEP test tool

Extract the SCEP test tool

Extract testtools.zip from <client-home>/web/testtools.zip.

Set SCEP test tool parameters

  1. Open the SCEPClient configuration file named com.nexussafe.cm.test.app.SCEPClient.properties from testtools/config/.

  2. Set the parameters as described in the table below.

  3. The NDES dynamic password can be retrieved using this command:

getndeschallenge

Parameter

Value

Comment

ndesChallengeUrl

<url>


ndesAdminUsername

<username>


ndesAdminPassword

<password>


certRequestUrl

The NDES 'ndesRequest' endpoint

This endpoint is  http://localhost:8080/pgwy/scep/ndesrequest?operation=PKIOperation&message= and depends on what you have specified in the handler section for ndesrequest in scep.properties. Default is ndesrequest.

Example

Example: SCEPClient.properties 
caCertUrl = http://localhost:8080/pgwy/scep?operation=GetCaCert&message=none
certRequestUrl = http://localhost:8080/pgwy/ndesrequest?operation=PKIOperation&message=
ndesChallengeUrl = http://localhost:8080/pgwy/scep/ndeschallenge/

raCert = temp/protocol-gateway-ra.cer

workdir = temp

p12.alias = scep client key
p12.certFile = temp/scep.cer
p12.keyLength = 2048
p12.keyToken.keyFile = temp/scep.p12
p12.keyToken.password = abcd1234
p12.keyToken.storeProvider = iD2Store
p12.keyToken.storeType = PKCS12

scep.cipherAlg = rc2

; p10.subject = unstructuredname=un-{0} SEG,cn={0} SEG,o=Company

p10.subject = cn={0} SEG,o=Company

p10.dns = {0}.example.com

p10.password = abcd1234

p10.keyusage = digitalSignature, keyEncipherment; critical

ndesAdminUsername = ndesadmin
ndesAdminPassword = ndespassword

;------------------ proxy certificate ------------------

useProxyCert = false

proxyCert.keyToken.keyFile = temp/proxy.p12
proxyCert.keyToken.password = abcd1234
proxyCert.keyToken.storeProvider = iD2Store
proxyCert.keyToken.storeType = PKCS12

Generate SCEP request

See the section "Generate SCEP request" in Example: SCEP configuration in Protocol Gateway .

There is one unique NDES-step (step 2) to add to the steps linked to above:

  1. getcacert - to get the CA/RA cert from the server

  2. getndeschallenge - to get NDES dynamic challenge password from server 

  3. create - to create certificate request with new key and subject 

  4. send - to send the CSR to Protocol Gateway

  5. verify - to verify the response

The certificate is saved in temp/scep.p12 (default). To change this, use the parameter p12.keyToken.keyFile in SCEPClient.properties.

Additional information

Useful links