MTG SCEP Server
Introduction
This page describes the basic functions of the MTG SCEP Server, an implementation of an SCEP Server according to [RFC8894] and its integration with MTG-CLM.
MTG-CLM integration
To enable integration with MTG-CLM, the MTG SCEP Server uses the credentials of an API client. First create a new API client. Acquire the secret and the provider ID of the client and configure them according to SCEP Configuration.
Additionally, the MTG SCEP Server uses a Policy to handle certificate management. A policy in MTG-CLM specifies the methods and mechanisms on how certificates are created. It identifies the CA that will issue the certificate, the template which is used, and it also may contain additional restrictions and configurations for the certificate lifecycle.
Authorization
Certificate-based authorization
A SCEP client may request a certificate from the server, if it already has a certificate from MTG-CLM. In this case it should sign the CMS container with the private key corresponding to a certificate issued by MTG-CLM.
Password-based authorization
A SCEP client should set the challengePassword attribute in the PKCS10 request.
In order to be authorized to access the MTG SCEP Server, the challenge password should be the UUID of the End-entity, followed by the character :,
followed by the password of the end-entity.
For example, the end-entity with UUID a4a0995-5fba-49c7-bc8a-55a61bd423d4
and password Vw1okwIDjt'|Lcr7 should use the following value
as challengePassword: ba4a0995-5fba-49c7-bc8a-55a61bd423d4:Vw1okwIDjt'|Lcr7.
If the challengePassword attribute is set in the PKCS10 request, then the certificate-based authorization for this request is deactivated.
Static-Password-based authorization
A SCEP client should set the challengePassword attribute in the PKCS10 request.
This is the password which is configured at the application.properties of the MTG SCEP Server.
When this option is activated all other authorization methods are not active. All SCEP clients must use this method.
| Use the above option with caution. All SCEP clients can create an arbitrary end-entity and request certificates for other end-entities. |
Defining default policy
API clients are optionally associated with a default policy. The MTG SCEP Server uses, by default, the default policy of the associated API client to handle certificate management. In case the API client is not associated with a default policy and the client does not specify a different policy in the request (see Different policies endpoints), the MTG SCEP Server responds with an invalid identifier error.
Defining different policy
The MTG SCEP Server supports specifying a different policy as the policy to be used instead of the API client’s default policy. The ID of this new policy has to be used in the requests towards MTG SCEP Server as described in Different policies endpoints.
Quickstart
In order to request a certificate over SCEP (assuming there is a newly installed MTG-CLM and MTG SCEP Server), following steps must be performed:
-
Create a realm R.
-
Create a policy P in realm R.
-
Create an API client A in realm R with policy P as default policy.
-
Create an end-entity E in realm R.
-
Create a certificate C for end-entity E using policy P.
-
Download private key K corresponding to certificate C.
-
Configure credentials of API client A to MTG SCEP Server.
-
Start MTG SCEP Server.
-
Send a RenewalReq (see Section 3.3.1 of [RFC8894]) with an SCEP client by signing the CMS container with private key K, placing certificate C in the CMS container, and creating a new PKCS10 request with a new key pair.
Custom features
Different policies endpoints
Per default the MTG SCEP Server offers the following endpoint:
-
SCEP_SERVER_BASE_URL/scep
Client requests to this endpoint use the default policy.
The MTG SCEP Server provides supplementary endpoints to support requests that require a different policy. Requests towards these endpoints specify a different policy to use, rather than the default policy of the associated API client. These are the endpoints for the different policy endpoints:
-
SCEP_SERVER_BASE_URL/<identifier>/scep -
SCEP_SERVER_BASE_URL/scep/<identifier>
The <identifier> needs to be replaced with a valid policy ID.
For example, to request a certificate that is issued under the policy ffc0d281-f9df-45cd-a30d-1881cd67012a use the URL:
SCEP_SERVER_BASE_URL/ffc0d281-f9df-45cd-a30d-1881cd67012a/scep.
Device type specific SCEP-Handling
The default SCEP-SuccessResponse, which is generated after issuance of the EE-Cert, is not accepted by Juniper JunOS/ScreenOS devices, resulting in a local processing failure and preventing the EE-Cert to be installed at the device. The reason for failure is not obvious and cannot be solved by the requesting entity. Tests showed that Juniper does not expect a full cert-chain in the SCEP-SuccessResponse and simply fails to verify the EE-Cert signature when it’s not an "EE-Cert-Only" SCEP-SuccessResponse.
To support Juniper devices, the scep.response.include.cachain flag (default true) has been added in the application.properties of the MTG SCEP Server. When this option is set to false, the CA-Chain is excluded and an "EE-Cert-Only" SCEP-SuccessResponse is generated.
| The scep.response.include.cachain flag affects all SCEP-Clients. |
To support devices that require only the CA certificate of the CA that signs the end-entity, the scep.getcacert.include.cachain.onmessage flag (default true) has been added in the application.properties of the MTG SCEP Server. When this option is set to false, the CA-Chain is excluded and only the signing CA certificate is placed in the GetCACert response.
| The scep.getcacert.include.cachain.onmessage flag affects all SCEP-Clients. |
Usage
The MTG MTG SCEP Server can be used by all clients that are compliant to the [RFC8894] protocol. An SCEP client connects to the IP address of the MTG SCEP Server and the port it is running.
Get capabilities of the MTG SCEP Server shows a request to get the capabilities of the MTG SCEP Server.
curl -X GET "https://<serverHost>:8507/scep?operation=GetCACaps"Download of CA certificate shows a request to receive the CA certificate configured in the MTG SCEP Server.
curl -X GET "https://<serverHost>:8507/scep?operation=GetCACert" -o cacert.pemTo receive the full CA certificate chain configured in the MTG SCEP Server, the SCEP message=<CaName> parameter must be added as shown in Download of CA certificate chain.
curl -X GET "https://<serverHost>:8507/scep?operation=GetCACert&message=MyCaName" -o cacertchain.p7All other SCEP Operations are transferred as shown in SCEP PKI-Operations
Note: SCEP PKI-Operations may also use the HTTP POST operation.
curl -X GET "https://<serverHost>:8507/scep?operation=PKIOperation&message=<...pkiMessage.(Base64)...>" -o scep.resp.p7The MTG SCEP Server also supports the processing of a RenewalReq, which can be sent using for example the jscep [jscep] client.
References
-
[RFC8894] P. Gutmann. Simple Certificate Enrolment Protocol. RFC 8894. www.rfc-editor.org/rfc/rfc8894.txt.
-
[jscep] jscep. github.com/jscep/jscep.