SCEP¶
SeaCat PKI supports SCEP aka Simple Certificate Enrolment Protocol.
Prerequisities¶
- Certificate Authority: (how to Create a Certificate Authority)
Enable SCEP¶
Use Web UI to enable SCEP in the Certificate Authority.
Press "Edit", select the checkbox and press "Save".
Resources¶
- Simple Certificate Enrolment Protocol (SCEP) Specifications, draft-gutmann-scep-16
- RFC 2315 PKCS #7: Cryptographic Message Syntax
- RFC 5652 Cryptographic Message Syntax (CMS)
Certificate Enrolment/Renewal¶
Certificate Enrolment procedure¶
Client C
(aka sscep)
Certification Authority CA
(aka SeaCat PKI)
C
generates private/public key pairC
generates CSR (aka Certificate Signing Request, PKCS#10)- Add attributes
- Add a public key
- Sign CSR by private key (Proof-of-Possession or PoP)
C
submits CSR toCA
over SCEP (request is in the PKCS#7 aka CMS format)CA
accepts CSR (over SCEP interface, including PKCS# verifications)CA
verifies CSRCA
stores CSR into a storage- At this moment
CA
can decide that the approval will be delayed and returnsPENDING
to theC
. The process can be resumed here.C
has to periodically check the status of the enrollment withCA
. CA
approves CSR and this step implicitly creates a client certificate- Add selected attributes from CSR
- Add a public key from CSR
- Sign a new certificate by its CA private key
CA
stores a new client certificate in a storageC
retrieves this client certificate fromCA
(over SCEP)C
stores the client certificate on the local drive
Note: Renewal process is similar to the enrolment.
Tool sscep
¶
SSCEP is a command line client for the SCEP protocol.
It can be used as a client to SeaCat PKI.
-
Configure SeaCat PKI SCEP entry point.
% export SCEP_URL="http://example.com/scep-tenant/scep"
-
Get CA Certificate
% sscep getca -c ca.cert -u ${SCEP_URL}
Stores the CA certiticate into
ca.cert
file. -
Prepare CSR
% openssl req -newkey rsa:2048 -sha256 -nodes -out local.csr -keyout local.key -subj "/C=GB/L=London/O=TeskaLabs/OU=SeaCat/CN=example.com"
This creates
local.key
andlocal.csr
. -
Certificate Enrolment
% sscep enroll -v -k local.key -r local.csr -c ca.cert -l local.cert -t 2 -u ${SCEP_URL}
-
Certificate Renewal
% sscep enroll -v -k local.key -r local.csr -c ca.cert -O local.cert -K local.key -l local.cert -u ${SCEP_URL}
NGINX¶
This is how to configure NGINX to forward SCEP requests to SeaCat PKI (hostname my-seacat-pki
, tenant mytenant
).
location /my/scep {
rewrite ^/my/scep /mytenant/scep break;
proxy_pass http://my-seacat-pki:8910;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Apple SCEP support¶
Apple allows to specify a profile for macOS and iOS that contains SCEP specifications allowing automated device enrollment.
Documentation:
- Configuration Profile Reference (Apple, PDF)
- Configuration Profiles (Online, Substitution Variables for profiles)
SCEP profile¶
-
Download the ./scep-apple-profile.mobileconfig file. The profile is XML file. Ensure that the file has
.mobileconfig
extension. -
Use the text editor to customize the profile accordingly to your setup, namely provide the URL of your SeaCat PKI SCEP endpoint.
-
Open this file in a Finder to invoke "Profile installation"
-
Go to "System Settings" > "Profile" and double-click the new SCEP profile to finish the installation. The certificate must be approved by SeaCat PKI during this step, so consider using auto-approve function of the PKI.