Skip to main content
Skip table of contents

Example: SCEP configuration in Protocol Gateway

This article describes a configuration example of the SCEP protocol in Protocol Gateway, using the provided enrollment templates file.

Simple Certificate Enrollment Protocol (SCEP) is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI.

Protocol Gateway only supports the enrollment protocols in RA mode, that is, a device RA key pair is used to protect the protocol messages. For use with devices that don't support RA mode, see more information in Use CMP or SCEP protocol in CA mode.


The following prerequisites apply:

Configure SCEP protocol

Configure and sign imported SCEP elements

The elements that were imported during the initial configuration are marked with a black and yellow "under construction" bar, since they are not signed yet.

In Administrator's workbench (AWB), open each element and make needed configurations and sign the changes: 

  1. Modify Protocol Gateway SCEP Certificate Procedure:
    1. Change Issuing CA to the Device Issuing CA.
    2. Click OK and sign the updates. See Sign tasks in Certificate Manager.
  2. For this token procedure, select Modify, click OK and sign the updates. See Sign tasks in Certificate Manager.
    1. SCEP Registration and Enroll Procedure
      This token procedure uses the input view GPIV 8 - Save and Search SCEP Enrollment Registrations encrypted password.
Set SCEP properties

To set the properties for the SCEP protocols: 

  1. Open \Nexus\cm-gateway\conf\ for editing.
  2. Modify the following properties: 
    1. Enable the SCEP protocol by setting start to true
    2. Set default.tokenprocedure to SCEP Registration and Enroll Procedure.

    3. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN.

      For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

  3. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
  4. Save the file. 


start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>
Restart Tomcat
  1. Restart the Tomcat service. 

Test SCEP protocol with Nexus test client

Configure Nexus SCEP test client

For information on how to start using Nexus test client, see Set up and use test clients in Protocol Gateway.

To configure the SCEP test client: 

  1. Copy the protocol-gateway-ra.cer to \Nexus\testclients\temp.
  2. Open the file for editing: 
  3. Edit the parameters: 
    1. Set raCert to temp/protocol-gateway-ra.cer.
    2. Set p10.dns to the DNS name of the devices, for example {0}  
    3. Set p10.password to the device password, that shall also be used in the registration below.  
Generate SCEP request

To verify the installation using the Nexus SCEP Client: 

  1. Generate a SCEP request:
    1.  In the command prompt, start an interactive session, by typing the command: 

      Example: Generate SCEP request

      java –jar testtools.jar SCEPClient interactive
    2. Run these commands: 

      1. getcacert - to get the CA cert from the server
      2. genkeypair - to generate a key pair for the client 
      3. create - to create a certificate signing request (CSR) 
      4. send - to send the CSR to Protocol Gateway
    3. The send command will fail, since there is no registered device with that FQDN. Verify in the log file in \Nexus\CM\server\logs\cf

      Example: log file

      Request failed: No registration found for fqdn: [] 


Register wildcard SCEP device

To register a wildcard SCEP device: 

  1. In Registration Authority (RA) in Certificate Manager, go to the Order tab. 
  2. In Procedure, select SCEP Registration and Enroll Procedure.
  3. Register the device or a wildcard FQDN, by entering the following details:
    1.  FQDN: *
      Any device on this wildcard domain can get a certificate. For more information, see Allowed domain names for preregistration in Certificate Manager.
    2. Validity time: the number of days that the registration shall be valid.
    3. Password: the p10 device password that was configured above.
    4. State: Open
Verify SCEP send command

Verify that a certificate can now be issued as a result of the CSR,

  1. In the same interactive SCEPClient session, run the command send

    This time, it should be succesful:

    Example: result of send command

    command: send
    Version: V3

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.