SCEP

SeaCat PKI supports SCEP aka Simple Certificate Enrolment Protocol.

Prerequisities

• Certificate Authority: (how to Create a Certificate Authority)

Enable SCEP

Use Web UI to enable SCEP in the Certificate Authority.

Press "Edit", select the checkbox and press "Save".

Resources

• Simple Certificate Enrolment Protocol (SCEP) Specifications, draft-gutmann-scep-16
• RFC 2315 PKCS #7: Cryptographic Message Syntax
• RFC 5652 Cryptographic Message Syntax (CMS)

Certificate Enrolment/Renewal

Certificate Enrolment procedure

Client C (aka sscep)
Certification Authority CA (aka SeaCat PKI)

1. C generates private/public key pair
2. C generates CSR (aka Certificate Signing Request, PKCS#10)
3. Add attributes
4. Add a public key
5. Sign CSR by private key (Proof-of-Possession or PoP)
6. C submits CSR to CA over SCEP (request is in the PKCS#7 aka CMS format)
7. CA accepts CSR (over SCEP interface, including PKCS# verifications)
8. CA verifies CSR
9. CA stores CSR into a storage
10. At this moment CA can decide that the approval will be delayed and returns PENDING to the C. The process can be resumed here. C has to periodically check the status of the enrollment with CA.
11. CA approves CSR and this step implicitly creates a client certificate
12. Add selected attributes from CSR
13. Add a public key from CSR
14. Sign a new certificate by its CA private key
15. CA stores a new client certificate in a storage
16. C retrieves this client certificate from CA (over SCEP)
17. C stores the client certificate on the local drive

Note: Renewal process is similar to the enrolment.

Tool sscep

SSCEP is a command line client for the SCEP protocol.
It can be used as a client to SeaCat PKI.

1. Configure SeaCat PKI SCEP entry point.

   % export SCEP_URL="http://example.com/scep-tenant/scep"
   

2. Get CA Certificate

   % sscep getca -c ca.cert -u ${SCEP_URL}
   

   Stores the CA certiticate into ca.cert file.

3. Prepare CSR

   % openssl req -newkey rsa:2048 -sha256 -nodes -out local.csr -keyout local.key -subj "/C=GB/L=London/O=TeskaLabs/OU=SeaCat/CN=example.com"
   

   This creates local.key and local.csr.

4. Certificate Enrolment

   % sscep enroll -v -k local.key -r local.csr -c ca.cert -l local.cert -t 2 -u ${SCEP_URL}
   

5. Certificate Renewal

   % sscep enroll -v -k local.key -r local.csr -c ca.cert -O local.cert -K local.key -l local.cert -u ${SCEP_URL}
   

NGINX

This is how to configure NGINX to forward SCEP requests to SeaCat PKI (hostname my-seacat-pki, tenant mytenant).

location /my/scep {
        rewrite ^/my/scep /mytenant/scep break;
        proxy_pass http://my-seacat-pki:8910;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Apple SCEP support

Apple allows to specify a profile for macOS and iOS that contains SCEP specifications allowing automated device enrollment.

Documentation:

• Configuration Profile Reference (Apple, PDF)
• Configuration Profiles (Online, Substitution Variables for profiles)

SCEP profile

1. Download the ./scep-apple-profile.mobileconfig file. The profile is XML file. Ensure that the file has .mobileconfig extension.

2. Use the text editor to customize the profile accordingly to your setup, namely provide the URL of your SeaCat PKI SCEP endpoint.

3. Open this file in a Finder to invoke "Profile installation"

4. Go to "System Settings" > "Profile" and double-click the new SCEP profile to finish the installation. The certificate must be approved by SeaCat PKI during this step, so consider using auto-approve function of the PKI.