The OpenCA team introduced with version 0.9.2 support for SCEP. SCEP was developed by Cisco. The protocol is usually used by VPN products like routers, switches and software clients to submit requests, download certificates and CRLs. We will document here the configuration for known systems to work with OpenCA. The configuration of OpenCA's SCEP service is described in the administration guide Section 8, “SCEP”.
SSCEP means Simple SCEP client for Unix. It can be used to request certificates if a device doesn't support SCEP but you want to use SCEP. Usually SSCEP is used to test SCEP daemons to work properly.
Example 6.1. SSCEP configuration
# URL of the SCEP server. URL http://scep.pki.openca.org/cgi-bin/scep/scep # This is one is needed with all operations. CACertFile ./ca.crt-0 # Possible values: yes or no. Verbose yes Debug yes # Display fingerprint algorithm (md5/sha1) FingerPrint md5 # Private key created with mkrequest PrivateKeyFile ./local.key # Where to write successfully enrolled certificate LocalCertFile ./local.crt # Certificate request file created with mkrequest CertReqFile ./local.csr # Poll periodically for pending certificate (seconds) PollInterval 60 # Maximum polling time MaxPollTime 28800 # Maximum polling count MaxPollCount 256 # Certificate serial number (decimal) GetCertSerial 1 # Write certificate as GetCertFile ./cert.crt # Write CRL as GetCrlFile ./crl.crl
First you have to download the CA and SCEP certificate from the SCEP server. You can do this with the command sscep getca -f sscep.conf. Please check that the CACertFile is correct. Sometimes the SCEP certificate is ca.crt-0-0. Now you have all what you need to request a certificate. local.crt must contain your request and local.key should contain your private key. To avoid that your CA admin think that your are an attacker please poll not faster then all ten minutes (600 seconds).
You can run now sscep enroll -f sscep.conf. The result is some debugging output and sscep starts polling until it reaches it's maximum poll time, receives an errormessage from the SCEP server or downloads the certificate successfully. That's all. No magic but a really simple and efficient client interface.
If you don't want polling e.g. if you use SCEP for web server requests then you can start the enrollment and kill the process when SSCEP starts polling. If you know that the certificate is available then you simply start the enrollment again. SSCEP tries to send the request again but OpenCA detects that the request is already present in the database. So OpenCA reports a successful submission of the request and the first polling of SSCEP ends with the submission of the new certificate. If you think now that this is a good program to implement a batchprocess to generate smartcards etc. then you are right (but OpenCA has batchprocessors too) :)
OpenCA's SCEP service is tested with NetScreen NS-208. NetScreen's SCEP implementation sends SCEP messages in base64 but without any newlines. Now OpenCA can handle this too.
First you have to install the complete CA chain. You have to go to objects and then to certificates. Here you must set the option Show to CA. Now you can upload the CA certificates via browse and load.
After you uploaded the complete chain please go to the end user CA and click on Server Settings. The interface is a little bit mistakable because it display the issuer and in this field you find the link to configure the CA. RA CGI and CA CGI must be set to OpenCA's SCEP interface. The address is something like http://scep.mypki.org/cgi-bin/scep/scep. If you want to be consequent then please check the advanced settings to be correct for your environment. It is recommended to set at minimum the field Certificate Renew to seven days. Finally click on OK to save the settings. This can take some time.
Now it's time to make the request. Change Show from CA to Local and click on New. Enter all required informations and choose at minimum a keylength of 1024 bit - smaller keylengths are a security risk. If you finished then click Generate to create the key and request. Due to the slow hardware it can take some time. If you see the request then select the checkboxes Automatically enroll to and Existing CA server settings. Select the appropriate CA which you configured for SCEP and click on OK. This will submit the request.
If the certificate was issued go to the web interface of your NetScreen box. Go to objects and then to certificates. Here you must set the option Show to Local. Click on Retrieve to check for the certificate.
The SCEP compliance with OpenCA was tested with F-Secure Management Agent 5.02 (FSMA) and F-Secure VPN+ 5.43 (Gateway and Client).
If you want to use SCEP with VPN+ then you must set the appropriate policy in FSMA. Go to /Settings/Certificate Handling/Enrollment/Active protocol. There you can choose which enrollment protocol you need. Simply click on SCEP to activate SCEP.
The value should look like http://scep.mypki.org/cgi-bin/scep/scep. This is the default SCEP gateway of OpenCA.
This parameter is not used by OpenCA. You can ignore it.
We don't use the challenge password today. So you can ignore it too.
The RA interface of OpenCA allows the editing of all parameters of the request except the public key. So it is not important to select the right option here. Nevertheless it is recommended to use Only in SubjectAltName extension because this avoid the duplication of data in the subject of the request (distinguished name). VPN+ adds the VPN+ identity via the common name to the subject and this usually duplicates the entries in the DN. The recommended option let VPN+ create a CSR which has the identity in the subject (DN) and the attributes like emailaddress, IP address and DNS name in the subject alternative name.
That's all of the SCEP specific stuff in VPN+. You can read this description with some more details in F-Secures documentation too. You can find some docs on your CD-ROMs and some old docs online at F-Secure.com.
The most OpenCA SCEP users are using PIX but nobody writes a good documentation until now :( We can only notice that it is sometimes necessary to create a new role which only includes the extension for the Netscape certificate type. It looks like the PIX is some kind of sensible for special extensions.
Please notice that the PIX has one major problem - it cannot scale for large installations. This does not mean that there is not enough performance but the box can only handle one CA. This mean that if your have to replace your old CA by a new one then the trust for all old certs breaks immediately. It is not possible to operate with two CAs at the same time. If you have a large company with thousands of employees then it is nearly impossible to replace all user certs at one time.
Timestamp: 2004-May-17