Skip to content

SCEP

SeaCat PKI supports SCEP aka Simple Certificate Enrolment Protocol.

Configuration

Establish the SCEP-capable X.509 Certificate Authority.

  1. Introduce a new tenant

    in etc/seacatpki.conf:

    [tenants]
ids=TENANT_ROOT_CA

    Note: The tenant name (e.g. "TENANT_ROOT_CA") is arbitrary.

  2. Specify a SeaCat PKI API base URL

    export ROOT_CA_URL=http://localhost:8080/TENANT_ROOT_CA

  3. Generate CA private key, RSA 4098 (or more).

    openssl genrsa -out ca-private-key.pem 4096

  4. Configure tenant and a CA private key in the PKI

    in seacatpki.conf:

    [tenants]
ids=TENANT_ROOT_CA

[seacatpki:x509:ca:scep-tenant]
# A standard X.509 Certificate Authority configuration
ca_key=scep-ca-key

[seacatpki:private_key:scep-ca-key]
keyfile=${THIS_DIR}/ca-private-key.pem
tenants=TENANT_ROOT_CA

  5. Restart a SeaCat PKI

  6. Generate a Root CA self-signed certificate

    Use template rootca.json and adjust mainly the subject name.

    curl -X PUT "${ROOT_CA_URL}/x509/self-signed" \
--header 'Content-Type: application/json' \
-d @rootca.json

    Note the pbid of the CA Certificate for a later use.

  7. Finalize the the SeaCat PKI configuration

    in seacatpki.conf:

    [tenants]
ids=scep-tenant

[seacatpki:x509:ca:scep-tenant]
# A standard X.509 Certificate Authority configuration
ca_key=scep-ca-key
ca_cert=scep-tenant:4fec087429f00360e314894c79f4d6d59405b131624ce70fccb44154641084a743b855d8c5f230ec69f74e04475e5056

# This enables use of SCEP
scep=yes

[seacatpki:private_key:scep-ca-key]
keyfile=${THIS_DIR}/ca-private-key.pem
tenants=scep-tenant

  8. Restart the SeaCat PKI

  9. SCEP enabled X.509 CA is ready for use.

Resources

Certificate Enrolment/Renewal

Certificate Enrolment procedure

Client C (aka sscep)
Certification Authority CA (aka SeaCat PKI)

  1. C generates private/public key pair
  2. C generates CSR (aka Certificate Signing Request, PKCS#10)
  3. Add attributes
  4. Add a public key
  5. Sign CSR by private key (Proof-of-Possession or PoP)
  6. C submits CSR to CA over SCEP (request is in the PKCS#7 aka CMS format)
  7. CA accepts CSR (over SCEP interface, including PKCS# verifications)
  8. CA verifies CSR
  9. CA stores CSR into a storage
  10. At this moment CA can decide that the approval will be delayed and returns PENDING to the C. The process can be resumed here. C has to periodically check the status of the enrollment with CA.
  11. CA approves CSR and this step implicitly creates a client certificate
  12. Add selected attributes from CSR
  13. Add a public key from CSR
  14. Sign a new certificate by its CA private key
  15. CA stores a new client certificate in a storage
  16. C retrieves this client certificate from CA (over SCEP)
  17. C stores the client certificate on the local drive

Note: Renewal process is similar to the enrolment.

Tool sscep

SSCEP is a command line client for the SCEP protocol.
It can be used as a client to SeaCat PKI.

  1. Configure SeaCat PKI SCEP entry point.

    % export SCEP_URL="http://example.com/scep-tenant/scep"

  2. Get CA Certificate

    % sscep getca -c ca.cert -u ${SCEP_URL}

    Stores the CA certiticate into ca.cert file.

  3. Prepare CSR

    % openssl req -newkey rsa:2048 -sha256 -nodes -out local.csr -keyout local.key -subj "/C=GB/L=London/O=TeskaLabs/OU=SeaCat/CN=example.com"

    This creates local.key and local.csr.

  4. Certificate Enrolment

    % sscep enroll -v -k local.key -r local.csr -c ca.cert -l local.cert -t 2 -u ${SCEP_URL}

  5. Certificate Renewal

    % sscep enroll -v -k local.key -r local.csr -c ca.cert -O local.cert -K local.key -l local.cert -u ${SCEP_URL}

Apple SCEP support

Apple allows to specify a profile for macOS and iOS that contains SCEP specifications allowing automated device enrollment.

Documentation:

SCEP profile

./scep-apple-profile.mobileconfig

The profile is XML file. Apple provides "Apple Configurator 2" tool for managing profiles. The profile can be distributed as a file or downloaded over HTTP(S) with MIME type 'application/x-apple-aspen-config'.