Collect a certificate using SCEP

There are plenty of clients out there which use the Simple Certificate Enrollment Protocol to automate the enrollment of certificates. CISCO routers are one example, but it's also popular with Mobile Device Management software. Even iOS devices can talk SCEP.

PKI Cloud uses EJBCA's SCEP server, so let's try using this protocol to get a new certificate.
We'll use a free jscep client called jscep-cli-jdk6 (while using Oracle JDK 8).

Create a new certificate holder as described here, but make sure the Token Type is 'User Generated'.
We're making a certificate for the server ''.

Now let's build our client and get our certificate!

Check our Java Version.
 java -version  
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

Build the jscep client.
 git clone  
 cd jscep-cli-jdk6  
 mvn assembly:assembly  

Make a new key and certificate request with OpenSSL.

 openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out req.pem -subj "/"  
Now use the SCEP client to send the certificate request and collect its certificate. Note the --dn argument refers to the user ID of the certificate holder, not the DN of the certificate request.
The --challenge option is the certificate holder's 'Enrollment code'.

  java -jar target/jscepcli-1.1-SNAPSHOT-exe.jar --ca-identifier "CN=James CA, O=James M, C=US" --challenge 1234 --csr-file req.pem --dn "CN=jamesca_scep" --key-file key.pem --url --algorithm SHA256    
Received 1 CA certificate(s).
Received response containing 2 certificate(s).
Certificate issued

Have a look at your new certificate.
  openssl x509 -in cert.pem -text   
        Version: 3 (0x2)
        Serial Number: 7343275386142428829 (0x65e88e0eaee38e9d)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=James M, CN=James CA

If you want to issue the certificate again, go to your certificate holder's settings and click the 're-issue' link next to their enrollment status. A user's status has to be 'New' or the SCEP client will not be permitted to enroll a new certificate.

Automate keystore generation using the PKI Cloud API

Let's generate a PKCS#12 (PFX) keystore using Curl commands!

After creating a free account, generating a CA and an API key, we will go to the Swagger page to test our key.

We're going to be using the /ca endpoint.

Enter your key in the Authorization field, using "Bearer <key>"

Click 'Try it out!' and see your response.


curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXV0aF90aW1lIjogMTQ4MDEwNzEyMSwgImV4cCI6IDE0ODAxMzExMjEsICJzdWIiOiAiamFtZXNtIiwgImF1ZCI6IFsgImNhYXBpIiBdLCAiaXNzIjogInRlc3RjYSIsICJpYXQiOiAxNDgwMTA3MTIxLCAianRpIjogIjEyMzNjMTQyLWFiNmUtNGY0NS05YjRjgfQ.PBzMWZvPKlQ2eniokxWwgnVRBa0oh8A8qRzECuZbmRKytYJ6hUUewIAHs7yHaMPutJNx5SbPo1cBlFF36_BURsvPU' ''

Request URL

Response Body

    "id": 1069394785,
    "name": "CN=James CA, O=James M, C=US"

Response Code


Now generate a new user for your CA. We'll just use Curl this time.
The user (certificate holder) has the ID 'jamesca_demo2' with (one time) password '1234'.
The certificate type is 'SSL Server'.

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'Authorization: Bearer eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXV0aF90aW1lIjogMTQ4MDEwNzEyMSwgImV4cCI6IDE0ODAxMzExMjEsICJzdWIiOiAiamFtZXNtIiwgImF1ZCI6IFsgImNhYXBpIiBdLCAiaXNzIjogInRlc3RjYSIsICJpYXQiOiAxNDgwMTA3MTIxLCAianRpIjogIjEyMzNjMTQyLWFiNmUtNGY0NS05YjRjLTM2YThniokxWwgn' -d '{
  "caName": "CN=James CA, O=James M, C=US",
  "endEntityProfileName": "SSL Server",
  "certificateProfileName": "SSL Server",
  "keyRecoverable": true,
  "password": "abcd",
  "subjectDN": ",O=JamesM,C=US",
  "tokenType": "P12",
  "username": "jamesca_demo2"
}' ''

Use the user ID and password to get the keystore, saving the response in jamesca_demo2.p12.

curl -X POST --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/octet-stream' -d 'password=1234&username=jamesca_demo2' '' > jamesca_demo2.p12

Check the contents of your new keystore.

$ keytool -v -list -keystore jamesca_demo2.p12 -storetype PKCS12

$ openssl pkcs12 -in jamesca_demo2.p12

Generate an API key

Automate user and keystore management with an API key. How to make your key.

First, click on the link in the top right to navigate to the API page.

Then view your keys.

Click on the create button to generate a new one.

Finally, click on the token (or the icon) to copy the token to the clipboard.

Now you have a key, try it out!

Create your first CA and user keystore

The first steps after creating a new account.

After creating your account and logging in, click the 'New CA' button.

Fill in the fields as you like and click create.

Your CA will appear in the list.

End-user or server certificates are given to users. Click on the icons to add or list the users associated with your CA. Click add, fill in the fields and then save.

If you select your new user and click 'New User Keystore' your browser will save a keystore with the type selected in 'Token Type'. By default, PKCS12.

Use the password to access your new keystore.

$ keytool -v -list -keystore jamesca_demo.p12 -storetype PKCS12

$ openssl pkcs12 -in jamesca_demo.p12

How to create a new account at PKI Cloud

PKI Cloud runs a free "PKI as a service" test system for creating and managing certificate authorities, end users and their certificates. Here's how to try it out.

Go to the registration page and complete the reCAPTCHA.

Enter a username and password. You don't need to enter any other details if you don't want to.

You should see your account has been successfully registered.

Go to the login page and sign in.

That's it! Now make your first CA and add some users.