SCEP is the successor of CEP the Certificate Enrollment Protocol. Both protocols were developed from Cisco. The idea is to have simple but secure protocol to enroll certificates and CRLs. Today many network components use SCEP to manage certificates and CRLs. Some of these components are Switches, Routers, Firewalls and VPN-Softwares.
OpenCA support SCEP via an own web interface. The interface is called
scep and you can install it via "make install-scep". After the
installation you have only to configure the file
OPENCADIR/etc/servers/scep.conf
or you edit
OPENCADIR/etc/config.xml
before you run
OPENCADIR/etc/configure_etc.sh. Please remember to
only filter via IP addresses because SCEP doesn't support any
authentication mechanisms. A SCEP client can connect the interface via
http://your_host/cgi-bin/scep/scep
.
The SCEP Server can accept the desired certificate role from new enrollment requests from the CertificateTemplate Extension. In order to make use of this feature, set the PKCS#10 attribute 1.3.6.1.4.1.311.20.2 to the desired certificate role name (Unicode) The Server will remove any non-alphanumeric characters and then try to match the requested role with the ones defined for the RA. If a match is found, this Role is selected for the new certificate request.
This file contains the followin parameters:
This is the PEM encoded private key of the SCEP interface. It has the same format like for mod_ssl.
This is the PEM encoded certificate of the SCEP interface. It has the same format like for mod_ssl.
This is the passphrase for the private key of the SCEP server. If you use a not encrypted private key (what is not recommended - then please set an empty string here. interface. It has the same format like for mod_ssl.
Policy definition, if set to "NO" the SCEP server will not accept requests for certificate DNs that do not exist yet. Set this value to "YES" to allow initial enrollment of new systems unconditionally. Experimental: If set to "VALIDSIGNATURE" then the server will only accept SCEP requests that have been signed with a certificate issued by the same CA. This is not strictly defined by the newer SCEP drafts but allows to add an additional authentication step. In this case no self-signed certificates are accepted in the SCEP message, the server will require a valid signature (but this may be of any certificate issued by the infrastructure).
Policy definition, if set to "YES" the SCEP server will allow renewal requests for existing certificates. A renewal request will not be accepted if two or more valid certificate with the same DN already exist. If set to "NO" the server will reject SCEP requests for DNs that already exist in at least one valid certificate.
String containing a comma separated concatenation of all RDNs to consider for matching the incoming request DN against existing valid certificate DNs. The reason for this setting is that some SCEP clients have problems generating request DNs that conform to the CA conventions. By specifying which RDNs to consider from the incoming request, it is possible to address these problems by ignoring unwanted RDNs. At least the CN should be included here. If your CNs are not unique across your name space, you should add other RDNs to create a unique reference, in most cases this would be "O", "OU" or "DC".
When initially enrolling a new system, this option specifies the initial certificate role to use for the new request. For renewals (at least one certificate with the same request DN already exists) the certificate role from the youngest existing predecessor is used for the new request.
When initially enrolling a new system, this option specifies the Registration Authority to use for the new request. For renewals (at least one certificate with the same request DN already exists) the RA setting from the youngest existing predecessor is used for the new request.
Newer SCEP drafts allow signing the SCEP request with a previously existing key. If a renewal request is received (this means that a valid certificate with the request DN must already exist in the database) the digital signature of this request is verified against the local CA. If the signature is valid and if the request DN is identical to the signer DN then the new request is automatically set to the 'APPROVED' status in the database. The client must explicitly support this feature by using the old certicate and private key. As the feature was introduced in later SCEP drafts, not many SCEP clients allow for automatic approval. Newer versions of sscep will support this feature, however. (Please note that the client system certificate may not have the correct key usage for digitally signing a request. The SCEP draft specifically allows the violation of the key usage, and hence OpenCA's SCEP server ignores errors about incorrect key usage when verifying the signature.)
This file contains the followin parameters:
This is the PEM encoded private key of the SCEP interface. It has the same format like for mod_ssl.
This is the PEM encoded certificate of the SCEP interface. It has the same format like for mod_ssl.
This is the passphrase for the private key of the SCEP server. If you use a not encrypted private key (what is not recommended - then please set an empty string here. interface. It has the same format like for mod_ssl.