-
Notifications
You must be signed in to change notification settings - Fork 137
Configuring SCEP Responder
This page describes the process to configure SCEP responder in CA.
For older versions see:
The profile used by the SCEP responder is configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
profile.list=...,caRouterCert,... profile.caRouterCert.class_id=caEnrollImpl profile.caRouterCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg
By default it uses the caRouterCert profile in /var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:
auth.instance_id=flatFileAuth
Disable deferOnFailure in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
auths.instance.flatFileAuth.deferOnFailure=false
Edit /var/lib/pki/pki-tomcat/ca/conf/flatfile.txt to enter the client’s IP address and password:
UID:<IP address> PWD:<password> UID:<IP address> PWD:<password> ...
The SCEP configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
ca.scep.enable=false ca.scep.hashAlgorithm=SHA256 ca.scep.allowedHashAlgorithms=SHA256,SHA512 ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.nonceSizeLimit=16
To enable the SCEP responder:
ca.scep.enable=true
Then restart the server:
$ systemctl restart pki-tomcatd@pki-tomcat.service
The client can access the SCEP responder at http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe.
In PKI 10.11 or later the SCEP responder allows the client to specify the profile to be used for issuing the certificate.
The list of allowed profiles can be configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
ca.scep.allowedDynamicProfileIds=<comma-separated list of profiles>
The client can access the SCEP responder at http://pki.example.com:8080/ca/scep/<profile>/pkiclient.exe.
|
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |