8. SCEP

SCEP is the successor of CEP the Certificate Enrollment Protocol. Both protocols were developed from Cisco. The idea is to have simple but secure protocol to enroll certificates and CRLs. Today many network components use SCEP to manage certificates and CRLs. Some of these components are Switches, Routers, Firewalls and VPN-Softwares.

OpenCA support SCEP via an own web interface. The interface is called scep and you can install it via "make install-scep". After the installation you have only to configure the file OPENCADIR/etc/servers/scep.conf or you edit OPENCADIR/etc/config.xml before you run OPENCADIR/etc/configure_etc.sh. Please remember to only filter via IP addresses because SCEP doesn't support any authentication mechanisms. A SCEP client can connect the interface via http://your_host/cgi-bin/scep/scep.

Note

Cisco only supports CA and end entity certificates with a keysize lower or equal 2048 bits. This means that the keysize of your CA certificate cannot exceed 2048 bits if you want to use Cisco equipment.

8.1. OPENCADIR/etc/servers/scep.conf

This file contains the followin parameters:
ScepRAKey

This is the PEM encoded private key of the SCEP interface. It has the same format like for mod_ssl.

ScepRACert

This is the PEM encoded certificate of the SCEP interface. It has the same format like for mod_ssl.

ScepRAPasswd

This is the passphrase for the private key of the SCEP server. If you use a not encrypted private key (what is not recommended - then please set an empty string here. interface. It has the same format like for mod_ssl.

8.2. OPENCADIR/etc/config.xml

This file contains the followin parameters:
SCEP_RA_KEY

This is the PEM encoded private key of the SCEP interface. It has the same format like for mod_ssl.

SCEP_RA_CERT

This is the PEM encoded certificate of the SCEP interface. It has the same format like for mod_ssl.

SCEP_RA_PASSWD

This is the passphrase for the private key of the SCEP server. If you use a not encrypted private key (what is not recommended - then please set an empty string here. interface. It has the same format like for mod_ssl.