Skip to main content
Skip table of contents

Example: SCEP NDES configuration in Protocol Gateway

This article describes a configuration example of the SCEP protocol with NDES challenge in Protocol Gateway.


The following prerequisites apply:

  • Protocol Gateway must be installed. See Install Protocol Gateway.
  • Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway. 
  • The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:
    • Digital Signature
    • Key Encipherment
    • TLS Server Authentication

Configure Protocol Gateway SCEP NDES

Create certificate procedure
  1. Follow the instructions in Create certificate procedure in Certificate Manager.
  2. Enter the following:
    1. Procedure name: Protocol Gateway SCEP Certificate with NDES Challenge
    2. Key usage: no key usage
    3. Certificate format: scepndesdynamicenroll
Create token procedure
  1. Follow the instructions in Create token procedure in Certificate Manager.
  2. Enter the following:
    1. Procedure name: SCEP Registration and Enroll Procedure with NDES Challenge
    2. Storage profile: PKCS10

    3. Issuer certificates: Store all

    4. Certificate procedures: Protocol Gateway SCEP Certificate with NDES Challenge
    5. Input view: GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password
  1. Open for editing.
    1. On Linux, this is found in /var/cm-gateway/conf.
    2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
  2. In there are two handlers defined for ndes challenge (number 3) and ndes requests (number 4). Change the information for these handler as needed. See an example file below.

    Add '.encrypted' to the ndesPassword parameter so it is not stored in cleartext in


    # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/
    # Handler for SCEP dynamic challenge endpoint (NDES compliant)
    handler.3.filter = ndeschallenge/
    handler.3.format = scep-ndes
    handler.3.ndesUsername = ndesadmin
    handler.3.ndesPassword = ndespassword
    handler.3.ndesChallengeValidity = PT15M
    # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest
    # Handler for SCEP request using dynamic challenge password (NDES compliant)
    handler.4.filter = ndesrequest
    handler.4.format = scep
    handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge
  3. Restart the Tomcat service. 

Configure SCEP test tool

Extract the SCEP test tool
  1. Extract from <client-home>/web/
Set SCEP test tool parameters
  1. Open the SCEPClient configuration file named from testtools/config/.
  2. Set these parameters, see an example file below:

    certRequestUrlThe NDES 'ndesRequest' endpoint

    This endpoint is http://localhost:8080/pgwy/scep/ndesrequest?operation=PKIOperation&message= and depends on what you have specified in the handler section for ndesrequest in Default is ndesrequest.


    caCertUrl = http://localhost:8080/pgwy/scep?operation=GetCaCert&message=none
    certRequestUrl = http://localhost:8080/pgwy/ndesrequest?operation=PKIOperation&message=
    ndesChallengeUrl = http://localhost:8080/pgwy/scep/ndeschallenge/
    raCert = temp/protocol-gateway-ra.cer
    workdir = temp
    p12.alias = scep client key
    p12.certFile = temp/scep.cer
    p12.keyLength = 2048
    p12.keyToken.keyFile = temp/scep.p12
    p12.keyToken.password = abcd1234
    p12.keyToken.storeProvider = iD2Store
    p12.keyToken.storeType = PKCS12
    scep.cipherAlg = rc2
    ; p10.subject = unstructuredname=un-{0} SEG,cn={0} SEG,o=Company
    p10.subject = cn={0} SEG,o=Company
    p10.dns = {0}
    p10.password = abcd1234
    p10.keyusage = digitalSignature, keyEncipherment; critical
    ndesAdminUsername = ndesadmin
    ndesAdminPassword = ndespassword
    ;------------------ proxy certificate ------------------
    useProxyCert = false
    proxyCert.keyToken.keyFile = temp/proxy.p12
    proxyCert.keyToken.password = abcd1234
    proxyCert.keyToken.storeProvider = iD2Store
    proxyCert.keyToken.storeType = PKCS12
  3. The NDES dynamic password can be retrieved using this command


Generate SCEP request

Generate SCEP request

See section "Generate SCEP request" in Example: SCEP configuration in Protocol Gateway.

There is one unique NDES-step (step 2) to add to the steps linked to above:

  1. getcacert - to get the CA/RA cert from the server
  2. getndeschallenge - to get NDES dynamic challenge password from server 
  3. create - to create certificate request with new key and subject 
  4. send - to send the CSR to Protocol Gateway
  5. verify - to verify the response

The certificate is saved in temp/scep.p12 (default). To change this, use the parameter p12.keyToken.keyFile in

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.