Collect a certificate using SCEP

There are plenty of clients out there which use the Simple Certificate Enrollment Protocol to automate the enrollment of certificates. CISCO routers are one example, but it's also popular with Mobile Device Management software. Even iOS devices can talk SCEP.


PKI Cloud uses EJBCA's SCEP server, so let's try using this protocol to get a new certificate.
We'll use a free jscep client called jscep-cli-jdk6 (while using Oracle JDK 8).

Create a new certificate holder as described here, but make sure the Token Type is 'User Generated'.
We're making a certificate for the server 'james.example.com'.




Now let's build our client and get our certificate!

Check our Java Version.
 java -version  
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

Build the jscep client.
 git clone https://github.com/asyd/jscep-cli-jdk6.git  
 cd jscep-cli-jdk6  
 mvn assembly:assembly  




Make a new key and certificate request with OpenSSL.

 openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem -subj "/CN=james.example.com"  
Now use the SCEP client to send the certificate request and collect its certificate. Note the --dn argument refers to the user ID of the certificate holder, not the DN of the certificate request.
The --challenge option is the certificate holder's 'Enrollment code'.


  java -jar target/jscepcli-1.1-SNAPSHOT-exe.jar --ca-identifier "CN=James CA, O=James M, C=US" --challenge 1234 --csr-file req.pem --dn "CN=jamesca_scep" --key-file key.pem --url https://testca.pkicloud.com/testca/scep/pkiclient.exe --algorithm SHA256    
Received 1 CA certificate(s).
Received response containing 2 certificate(s).
Certificate issued

Have a look at your new certificate.
  openssl x509 -in cert.pem -text   
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7343275386142428829 (0x65e88e0eaee38e9d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=James M, CN=James CA
        Subject: CN=james.example.com


If you want to issue the certificate again, go to your certificate holder's settings and click the 're-issue' link next to their enrollment status. A user's status has to be 'New' or the SCEP client will not be permitted to enroll a new certificate.



No comments:

Post a Comment