8. SCEP

SCEP is the successor of CEP the Certificate Enrollment Protocol. Both protocols were developed from Cisco. The idea is to have simple but secure protocol to enroll certificates and CRLs. Today many network components use SCEP to manage certificates and CRLs. Some of these components are Switches, Routers, Firewalls and VPN-Softwares.

OpenCA support SCEP via an own web interface. The interface is called scep and you can install it via "make install-scep". After the installation you have only to configure the file OPENCADIR/etc/servers/scep.conf or you edit OPENCADIR/etc/config.xml before you run OPENCADIR/etc/configure_etc.sh. Please remember to only filter via IP addresses because SCEP doesn't support any authentication mechanisms. A SCEP client can connect the interface via http://your_host/cgi-bin/scep/scep.

Note

Cisco only supports CA and end entity certificates with a keysize lower or equal 2048 bits. This means that the keysize of your CA certificate cannot exceed 2048 bits if you want to use Cisco equipment.

The SCEP Server can accept the desired certificate role from new enrollment requests from the CertificateTemplate Extension. In order to make use of this feature, set the PKCS#10 attribute 1.3.6.1.4.1.311.20.2 to the desired certificate role name (Unicode) The Server will remove any non-alphanumeric characters and then try to match the requested role with the ones defined for the RA. If a match is found, this Role is selected for the new certificate request.

8.1. OPENCADIR/etc/servers/scep.conf

This file contains the followin parameters:

ScepRAKey

This is the PEM encoded private key of the SCEP interface. It has the same format like for mod_ssl.

ScepRACert

This is the PEM encoded certificate of the SCEP interface. It has the same format like for mod_ssl.

ScepRAPasswd

This is the passphrase for the private key of the SCEP server. If you use a not encrypted private key (what is not recommended - then please set an empty string here. interface. It has the same format like for mod_ssl.

ScepAllowEnrollment

Policy definition, if set to "NO" the SCEP server will not accept requests for certificate DNs that do not exist yet. Set this value to "YES" to allow initial enrollment of new systems unconditionally. Experimental: If set to "VALIDSIGNATURE" then the server will only accept SCEP requests that have been signed with a certificate issued by the same CA. This is not strictly defined by the newer SCEP drafts but allows to add an additional authentication step. In this case no self-signed certificates are accepted in the SCEP message, the server will require a valid signature (but this may be of any certificate issued by the infrastructure).

ScepAllowRenewal

Policy definition, if set to "YES" the SCEP server will allow renewal requests for existing certificates. A renewal request will not be accepted if two or more valid certificate with the same DN already exist. If set to "NO" the server will reject SCEP requests for DNs that already exist in at least one valid certificate.

ScepRenewalRDNMatch

String containing a comma separated concatenation of all RDNs to consider for matching the incoming request DN against existing valid certificate DNs. The reason for this setting is that some SCEP clients have problems generating request DNs that conform to the CA conventions. By specifying which RDNs to consider from the incoming request, it is possible to address these problems by ignoring unwanted RDNs. At least the CN should be included here. If your CNs are not unique across your name space, you should add other RDNs to create a unique reference, in most cases this would be "O", "OU" or "DC".

ScepDefaultRole

When initially enrolling a new system, this option specifies the initial certificate role to use for the new request. For renewals (at least one certificate with the same request DN already exists) the certificate role from the youngest existing predecessor is used for the new request.

ScepDefaultRA

When initially enrolling a new system, this option specifies the Registration Authority to use for the new request. For renewals (at least one certificate with the same request DN already exists) the RA setting from the youngest existing predecessor is used for the new request.

ScepAutoApprove

Newer SCEP drafts allow signing the SCEP request with a previously existing key. If a renewal request is received (this means that a valid certificate with the request DN must already exist in the database) the digital signature of this request is verified against the local CA. If the signature is valid and if the request DN is identical to the signer DN then the new request is automatically set to the 'APPROVED' status in the database. The client must explicitly support this feature by using the old certicate and private key. As the feature was introduced in later SCEP drafts, not many SCEP clients allow for automatic approval. Newer versions of sscep will support this feature, however. (Please note that the client system certificate may not have the correct key usage for digitally signing a request. The SCEP draft specifically allows the violation of the key usage, and hence OpenCA's SCEP server ignores errors about incorrect key usage when verifying the signature.)

8.2. OPENCADIR/etc/config.xml

This file contains the followin parameters:

SCEP_RA_KEY

This is the PEM encoded private key of the SCEP interface. It has the same format like for mod_ssl.

SCEP_RA_CERT

This is the PEM encoded certificate of the SCEP interface. It has the same format like for mod_ssl.

SCEP_RA_PASSWD

This is the passphrase for the private key of the SCEP server. If you use a not encrypted private key (what is not recommended - then please set an empty string here. interface. It has the same format like for mod_ssl.