Overview
The Simple Certificate Enrollment Protocol is a PKI communication protocol which leverages existing technology by using PKCS#7 and PKCS#10 over HTTP. SCEP is the evolution of the enrollment protocol developed by VeriSign, Inc. for Cisco Systems, Inc.Latest Internet Draft
http://tools.ietf.org/html/draft-nourse-scepSteps
- Requester sends GetCACert message to SCEP URL
- Either CA or RA responds with single DER-encoded X.509 certificate DER-encoded 'degenerate' PKCS#7 SignedData message with an X.509 certificate chain (CA -> RA)
- Requester checks if CA certificate is trusted by prompting user with message digest of X.509 certificate
- Requester constructs a PKCS#10 certificate signing request (CSR)
- Requester constructs a PKCS#7 EnvelopedData object using the DER-encoded CSR and encrypts the envelope encryption key (DES or Triple-DES) using the message recipient's public key (either the CA, or an RA with a keyEncipherment KeyUsage extension)
- Requester constructs a PKCS#7 SignedData using the DER-encoded EnvelopedData and its certificate, and signs a (MD5, SHA-1, SHA-256 or SHA-512) digest of the data using its RSA private key
- Requester sends the DER-encoded SignedData object in a PKCSReq message to the RA (or CA)
- RA (or CA) opens the SignedData message and extracts the EnvelopedData.
- RA uses its private key to decrypt the EnvelopedData and extracts the PKCS#10 CSR
- RA examines the challengePassword in CSR to authenticate request
- RA sends CSR to CA
- CA generates X.509 certificate from CSR and signs it
- CA sends signed-certificate to RA
- RA creates a 'degenerate' SignedData and adds signed-certificate
- RA creates a EnvelopedData with the DER-encoded SignedData, encrypting using the Requesters public key (provided in the SignedData)
- RA creates a SignedData object and signs using the RA key with a digitalSignature KeyUsage extension
- RA sends the message to the Requester
new for the SCEP client to work:
- - somehow generate the keys in keystore differently? key size. alg, cipher suite etc.
- - once you receive the signed response back. store it differently:
- generate a pkcs#7 format.
- or import the cert into the same alias as the keystore.
Programmatic enrollment using Jscep
- EJBCA Scep server URL: http://localhost:8080/ejbca/publicweb/apply/scep/pkiclient.exe
- EJBCA requires the name identified in the certificate as "CN=Some user" to be defined as a user in the RA database. The user id is the CN and the password is the PKCSObjectIdentifiers.pkcs_9_at_challengePassword defined during construction of PKCS10CertificationRequest.
- Also, if the certificate is intended for Tomcat, then the below properties should be set correctly in the EJBCA "Add Entity" page under the "Main Certificate Data" section:
- Certificate Profile: SERVER
- CA: AdminCA1
- Token: User Generated
Note: Somehow Jscep has an issue with spaces in the CN and only sends the text before the space to EJBCA while enrolling the cert.
