Skip to content

SCEP

SeaCat PKI supports SCEP aka Simple Certificate Enrolment Protocol.

Prerequisities

Enable SCEP

Use Web UI to enable SCEP in the Certificate Authority.

Press "Edit", select the checkbox and press "Save".

Enable SCEP

Resources

Certificate Enrolment/Renewal

Certificate Enrolment procedure

Client C (aka sscep)
Certification Authority CA (aka SeaCat PKI)

  1. C generates private/public key pair
  2. C generates CSR (aka Certificate Signing Request, PKCS#10)
  3. Add attributes
  4. Add a public key
  5. Sign CSR by private key (Proof-of-Possession or PoP)
  6. C submits CSR to CA over SCEP (request is in the PKCS#7 aka CMS format)
  7. CA accepts CSR (over SCEP interface, including PKCS# verifications)
  8. CA verifies CSR
  9. CA stores CSR into a storage
  10. At this moment CA can decide that the approval will be delayed and returns PENDING to the C. The process can be resumed here. C has to periodically check the status of the enrollment with CA.
  11. CA approves CSR and this step implicitly creates a client certificate
  12. Add selected attributes from CSR
  13. Add a public key from CSR
  14. Sign a new certificate by its CA private key
  15. CA stores a new client certificate in a storage
  16. C retrieves this client certificate from CA (over SCEP)
  17. C stores the client certificate on the local drive

Note: Renewal process is similar to the enrolment.

Tool sscep

SSCEP is a command line client for the SCEP protocol.
It can be used as a client to SeaCat PKI.

  1. Configure SeaCat PKI SCEP entry point.

    % export SCEP_URL="http://example.com/scep-tenant/scep"
    
  2. Get CA Certificate

    % sscep getca -c ca.cert -u ${SCEP_URL}
    

    Stores the CA certiticate into ca.cert file.

  3. Prepare CSR

    % openssl req -newkey rsa:2048 -sha256 -nodes -out local.csr -keyout local.key -subj "/C=GB/L=London/O=TeskaLabs/OU=SeaCat/CN=example.com"
    

    This creates local.key and local.csr.

  4. Certificate Enrolment

    % sscep enroll -v -k local.key -r local.csr -c ca.cert -l local.cert -t 2 -u ${SCEP_URL}
    
  5. Certificate Renewal

    % sscep enroll -v -k local.key -r local.csr -c ca.cert -O local.cert -K local.key -l local.cert -u ${SCEP_URL}
    

NGINX

This is how to configure NGINX to forward SCEP requests to SeaCat PKI (hostname my-seacat-pki, tenant mytenant).

location /my/scep {
        rewrite ^/my/scep /mytenant/scep break;
        proxy_pass http://my-seacat-pki:8910;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Apple SCEP support

Apple allows to specify a profile for macOS and iOS that contains SCEP specifications allowing automated device enrollment.

Documentation:

SCEP profile

  1. Download the ./scep-apple-profile.mobileconfig file. The profile is XML file. Ensure that the file has .mobileconfig extension.

  2. Use the text editor to customize the profile accordingly to your setup, namely provide the URL of your SeaCat PKI SCEP endpoint.

  3. Open this file in a Finder to invoke "Profile installation"

  4. Go to "System Settings" > "Profile" and double-click the new SCEP profile to finish the installation. The certificate must be approved by SeaCat PKI during this step, so consider using auto-approve function of the PKI.