-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring SCEP Responder
This page describes the process to configure SCEP responder in CA.
For older versions see:
The profile used by the SCEP responder is configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
profile.list=...,caRouterCert,... profile.caRouterCert.class_id=caEnrollImpl profile.caRouterCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg
By default it uses the caRouterCert
profile in /var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:
auth.instance_id=flatFileAuth
Disable deferOnFailure
in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
auths.instance.flatFileAuth.deferOnFailure=false
Edit /var/lib/pki/pki-tomcat/ca/conf/flatfile.txt
to enter the client’s IP address and password:
UID:<IP address> PWD:<password> UID:<IP address> PWD:<password> ...
Note: the <IP address> can be either ipv4 or ipv6. It is important to use the one identifying the client connection. This is related to the server host and DNS configuration.
The SCEP configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
ca.scep.enable=false ca.scep.hashAlgorithm=SHA256 ca.scep.allowedHashAlgorithms=SHA256,SHA512 ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.nonceSizeLimit=16
To enable the SCEP responder:
ca.scep.enable=true
Then restart the server:
$ systemctl restart [email protected]
The client can access the SCEP responder at http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe.
In PKI 10.11 or later the SCEP responder allows the client to specify the profile to be used for issuing the certificate.
The list of allowed profiles can be configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
ca.scep.allowedDynamicProfileIds=<comma-separated list of profiles>
The client can access the SCEP responder at http://pki.example.com:8080/ca/scep/<profile>/pkiclient.exe.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |