Skip to content

Configuring SCEP Responder

Marco Fargetta edited this page Jul 17, 2024 · 11 revisions

Overview

This page describes the process to configure SCEP responder in CA.

For older versions see:

SCEP Profile

The profile used by the SCEP responder is configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

profile.list=...,caRouterCert,...
profile.caRouterCert.class_id=caEnrollImpl
profile.caRouterCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg

By default it uses the caRouterCert profile in /var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:

auth.instance_id=flatFileAuth

Disable deferOnFailure in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

auths.instance.flatFileAuth.deferOnFailure=false

Edit /var/lib/pki/pki-tomcat/ca/conf/flatfile.txt to enter the client’s IP address and password:

UID:<IP address>
PWD:<password>

UID:<IP address>
PWD:<password>

...

Note: the <IP address> can be either ipv4 or ipv6. It is important to use the one identifying the client connection. This is related to the server host and DNS configuration.

SCEP Configuration

The SCEP configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

ca.scep.enable=false
ca.scep.hashAlgorithm=SHA256
ca.scep.allowedHashAlgorithms=SHA256,SHA512
ca.scep.encryptionAlgorithm=DES3
ca.scep.allowedEncryptionAlgorithms=DES3
ca.scep.nonceSizeLimit=16

To enable the SCEP responder:

ca.scep.enable=true

Then restart the server:

$ systemctl restart pki-tomcatd@pki-tomcat.service

The client can access the SCEP responder at http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe.

Dynamic SCEP Profile

In PKI 10.11 or later the SCEP responder allows the client to specify the profile to be used for issuing the certificate. The list of allowed profiles can be configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:

ca.scep.allowedDynamicProfileIds=<comma-separated list of profiles>

The client can access the SCEP responder at http://pki.example.com:8080/ca/scep/<profile>/pkiclient.exe.

See Also

Clone this wiki locally