Example: SCEP configuration in Protocol Gateway
This article describes a configuration example of the SCEP protocol in Protocol Gateway, using the provided enrollment templates file.
Simple Certificate Enrollment Protocol (SCEP) is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI.
Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. For use with devices that don't support RA mode, see more information in Use CMP or SCEP protocol in CA mode.
Prerequisites
Protocol Gateway must be installed. See Install Protocol Gateway.
Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.
Configure SCEP protocol
Configure and sign imported SCEP elements
The elements that were imported during the initial configuration are marked with a black and yellow "under construction" bar, since they are not signed yet.
In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes:
Modify Protocol Gateway SCEP Certificate Procedure:
Change Issuing CA to the Device Issuing CA.
Click OK and sign the updates. See Sign tasks in Certificate Manager.
For this token procedure, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
SCEP Registration and Enroll Procedure
This token procedure uses the input view GPIV 8 - Save and Search SCEP Enrollment Registrations encrypted password.
Set SCEP properties
To set the properties for the SCEP protocols:
Open \Nexus\cm-gateway\conf\SCEP.properties for editing.
Modify the following properties:
Enable the SCEP protocol by setting
start
totrue
.Set
default.tokenprocedure
toSCEP Registration and Enroll Procedure
.Set
default.ra.keyfile
to the Protocol Gateway RA token file anddefault.ra.password
to the related PIN. For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.
If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
Save the file.
Example: SCEP.properties
start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>
Restart Tomcat
Restart the Tomcat service.
Test SCEP protocol with Nexus test client
Configure Nexus SCEP test client
For information on how to start using Nexus test client, see Set up and use test clients in Protocol Gateway.
To configure the SCEP test client:
Copy the protocol-gateway-ra.cer to \Nexus\testclients\temp.
Open the file com.nexussafe.cm.test.app.SCEPClient.properties for editing:
Edit the parameters:
Set
raCert
totemp/protocol-gateway-ra.cer
.Set
p10.dns
to the DNS name of the devices, for example{0}.example.com
.Set
p10.password
to the device password, that shall also be used in the registration below.
Generate SCEP request
To verify the installation using the Nexus SCEP Client:
Generate a SCEP request:
In the command prompt, start an interactive session, by typing the command:
Example: Generate SCEP request
CODEjava –jar testtools.jar SCEPClient interactive
Run these commands:
getcacert
- to get the CA cert from the servergenkeypair
- to generate a key pair for the clientcreate
- to create a certificate signing request (CSR)send
- to send the CSR to Protocol Gateway
The send command will fail, since there is no registered device with that FQDN. Verify in the log file in \Nexus\CM\server\logs\cf:
Example: log file
CODE... Request failed: No registration found for fqdn: [1596799669017.example.com] ...
Register wildcard SCEP device
To register a wildcard SCEP device:
In Registration Authority (RA) in Certificate Manager, go to the Order tab.
In Procedure, select SCEP Registration and Enroll Procedure.
Register the device or a wildcard FQDN, by entering the following details:
FQDN: *.http://example.com
Any device on this wildcard domain can get a certificate. For more information, see Allowed domain names for preregistration in Certificate Manager.Validity time: the number of days that the registration shall be valid.
Password: the p10 device password that was configured above.
State: Open
Verify SCEP send command
Verify that a certificate can now be issued as a result of the CSR,
In the same interactive SCEPClient session, run the command send
.
This time, it should be succesful:
Example: result of send command
command: send
Certificate:
Version: V3