Example: SCEP NDES configuration in Protocol Gateway
This article describes a configuration example of the SCEP protocol with NDES challenge in Protocol Gateway.
Prerequisites
The following prerequisites apply:
Protocol Gateway must be installed. See Install Protocol Gateway.
Initial configuration of Protocol Gateway must be done. See Initial configuration of Protocol Gateway.
The SCEP RA certificate must be issued by the same CA that issues the device certificates. Create an RA certificate in PKCS#12 format containing the full CA chain with the following keyusages or extended keyusages:
Digital Signature
Key Encipherment
TLS Server Authentication
Configure Protocol Gateway SCEP NDES
Create certificate procedure
Follow the instructions in Create certificate procedure in Certificate Manager.
Enter the following:
Procedure name: Protocol Gateway SCEP Certificate with NDES Challenge
Key usage: no key usage
Certificate format: scepndesdynamicenroll
Create token procedure
Follow the instructions in Create token procedure in Certificate Manager.
Enter the following:
Procedure name: SCEP Registration and Enroll Procedure with NDES Challenge
Storage profile: PKCS10
Issuer certificates: Store all
Certificate procedures: Protocol Gateway SCEP Certificate with NDES Challenge
Input view: GPIV 16 - Save and Search SCEP Enrollment Registrations with dynamic password
Configure scep.properties
Open scep.properties for editing.
On Linux, this is found in /var/cm-gateway/conf.
On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
In scep.properties there are two handlers defined for ndes challenge (number 3) and ndes requests (number 4). Change the information for these handler as needed. See an example file below.
Add '.encrypted' to thendesPassword
parameter so it is not stored in cleartext in scep.properties.Example: scep.properties
CODE... # http://<pgwy-host>:<port>/pgwy/scep/ndeschallenge/ # # Handler for SCEP dynamic challenge endpoint (NDES compliant) # handler.3.filter = ndeschallenge/ handler.3.format = scep-ndes handler.3.ndesUsername = ndesadmin handler.3.ndesPassword = ndespassword handler.3.ndesChallengeValidity = PT15M # http://<pgwy-host>:<port>/pgwy/scep/ndesrequest # # Handler for SCEP request using dynamic challenge password (NDES compliant) # handler.4.filter = ndesrequest handler.4.format = scep handler.4.tokenprocedure = SCEP Registration and Enroll Procedure with NDES Challenge ...
Restart the Tomcat service.
Configure SCEP test tool
Extract the SCEP test tool
Extract testtools.zip from <client-home>/web/testtools.zip.
Set SCEP test tool parameters
Open the SCEPClient configuration file named com.nexussafe.cm.test.app.SCEPClient.properties from testtools/config/.
Set the parameters as described in the table below.
The NDES dynamic password can be retrieved using this command:
getndeschallenge
Parameter | Value | Comment |
---|---|---|
| <url> | |
| <username> | |
| <password> | |
| The NDES 'ndesRequest' endpoint | This endpoint is http://localhost:8080/pgwy/scep/ndesrequest?operation=PKIOperation&message= and depends on what you have specified in the handler section for ndesrequest in scep.properties. Default is ndesrequest. |
Example
Example: SCEPClient.properties
caCertUrl = http://localhost:8080/pgwy/scep?operation=GetCaCert&message=none
certRequestUrl = http://localhost:8080/pgwy/ndesrequest?operation=PKIOperation&message=
ndesChallengeUrl = http://localhost:8080/pgwy/scep/ndeschallenge/
raCert = temp/protocol-gateway-ra.cer
workdir = temp
p12.alias = scep client key
p12.certFile = temp/scep.cer
p12.keyLength = 2048
p12.keyToken.keyFile = temp/scep.p12
p12.keyToken.password = abcd1234
p12.keyToken.storeProvider = iD2Store
p12.keyToken.storeType = PKCS12
scep.cipherAlg = rc2
; p10.subject = unstructuredname=un-{0} SEG,cn={0} SEG,o=Company
p10.subject = cn={0} SEG,o=Company
p10.dns = {0}.example.com
p10.password = abcd1234
p10.keyusage = digitalSignature, keyEncipherment; critical
ndesAdminUsername = ndesadmin
ndesAdminPassword = ndespassword
;------------------ proxy certificate ------------------
useProxyCert = false
proxyCert.keyToken.keyFile = temp/proxy.p12
proxyCert.keyToken.password = abcd1234
proxyCert.keyToken.storeProvider = iD2Store
proxyCert.keyToken.storeType = PKCS12
Generate SCEP request
See the section "Generate SCEP request" in Example: SCEP configuration in Protocol Gateway.
There is one unique NDES-step (step 2) to add to the steps linked to above:
getcacert
- to get the CA/RA cert from the servergetndeschallenge
- to get NDES dynamic challenge password from servercreate
- to create certificate request with new key and subjectsend
- to send the CSR to Protocol Gatewayverify
- to verify the response
The certificate is saved in temp/scep.p12 (default). To change this, use the parameter p12.keyToken.keyFile
in SCEPClient.properties.