WeOSSimple Certificate Enrollment Protocol
Abstract
This document provides an overview of the Simple Certificate Enrollment Protocol (SCEP) as implemented in WeOS. It explains the protocol’s purpose, lists supported features and limitations. Enrollment process and configuration parameters are explained.
A complete example workflow from server configuration to certificate enrollment and renewal is provided in another document: Enrollment of certificate.
Glossary
CA: Certificate Authority. An entity that issues digital certificates.
RA: Registration Authority. An entity that acts as a mediator between the user and the CA, handling requests for digital certificates.
SCEP: Simple Certificate Enrollment Protocol. A protocol for automating certificate enrollment in a PKI environment.
PKI: Public Key Infrastructure. A framework for managing digital certificates and public-key encryption.
CSR: Certificate Signing Request. A request sent from an applicant to a CA to apply for a digital certificate.
CER: Certificate Enrollment Request. The configuration representing a request to enroll a certificate.
Root-CA: The top-level Certificate Authority in a PKI hierarchy.
Intermediate-CA: A subordinate CA that is certified by the Root-CA and can issue certificates to end entities.
NDES: Network Device Enrollment Service. A Microsoft service that implements SCEP.
OpenXPKI: An open-source PKI software that supports SCEP.
SAN: Subject Alternative Name. An extension in X.509 certificates that allows additional identities to be bound to the subject of the certificate.
DN: Distinguished Name. A unique identifier for the subject or issuer of a certificate.
EKU: Extended Key Usage. An extension in X.509 certificates specifying permitted uses of the key.
Introduction
Simple Certificate Enrollment Protocol, or SCEP, described in RFC 8894, is a protocol designed to simplify and automate the process of certificate issuance and management within a Public Key Infrastructure (PKI) environment.
SCEP provides authentication for IoT devices in industrial applications. It facilitates communication between client devices and a Certificate Authority (RA/CA) to automate the issuance of digital certificates. SCEP is popular because it saves time and enables devices to request and renew certificates automatically.
Features
The following features are supported in the WeOS SCEP implementation:
-
Automated Certificate Enrollment: The device acts as a SCEP client and receives certificates automatically, reducing administrative overhead by streamlining certificate enrollment.
-
Automated Renewal of Certificate: Starts renewal of issued certificates after a predefined threshold is reached.
-
Certificate Rollover: Supports Intermediate-CA certificate rollover.
-
Integration with Certificate Authorities (CAs): Works with various CA infrastructures. The implementation of the SCEP protocol on this device has been tested with OpenXPKI and Windows NDES. The device supports renewal of certificates using both PKCSReq and RenewalReq messages.
At the end of this documentation, there is a section with links to example setups to follow when setting up the SCEP functionality.
Note
The implementation of SCEP protocol on this device is tested against OpenXPKI and Windows NDES.
Security
It is possible to use a generic challenge password on the SCEP server; however, it is not recommended since it poses a security risk and opens up for unauthorized users to gain access.
Limitations
The system has the following limitations:
- The rollover of Root-CA certificates is not supported. Adding a new root certificate will replace the existing one. However, the rollover of Intermediate-CA certificates is supported and described here.
Enrollment process
The enrollment process consists of two phases. The first is a manual setup phase where the user configures one or more SCEP servers and certificate enrollment requests. The second phase is automatic, during which certificates are automatically enrolled and renewed.
Manual setup phase
Enrollment of a certificate requires a valid configuration of the certificate and enrollment. The setup phase consists of two steps:
- Step 1: Configuration of enrollment servers is done in the Config context:
example:/#> config example:/config/#> pki example:/config/pki/#> enroll 1 example:/config/pki/enroll-server-1/#>
All server parameters are explained here. After applying the configuration, the device tries to download the Root-CA and all Intermediate-CA certificates and stores them in the local CA-store. The server label can be referenced from other parts of the system, including CSR configuration.
- Step 2: Creation of enrollment requests from within the Exec context:
example:/#> pki example:/pki/#> cert example:/pki/cert/#> enroll cert1 example:/pki/cert/enroll-cert1/#>
A Certificate Enrollment Request (CER) includes parameters for the certificate signing request and settings related to enrollment itself. A detailed list of parameters is provided here.
Labels of pending certificates can be referenced when configuring other services (e.g., tunnels), but these services might not be fully functional until the certificate is enrolled.
Automatic enrollment/renewal phase
After a valid request and enrollment server are configured, the device automatically creates a key-pair and periodically requests a certificate from the server at a predefined interval. The device will try to enroll a certificate if it is:
- not already downloaded,
- not rejected,
- and has a valid enrollment server configured.
Typically, the CA administrator has to approve the request before a certificate can be downloaded. Upon successful enrollment, services utilizing certificates (e.g., tunnels) will be reloaded or restarted to transition to the renewed certificate.
When the certificate reaches its renewal threshold, the renewal process starts.
The renewal-threshold setting on a certificate is a percentage value that
determines how much of the enrolled certificate’s validity period must have
elapsed before attempting to renew the certificate. The default value is 80% of
the validity period. Renewal of a certificate must be completed before it
expires; otherwise, it must be removed and a new certificate enrolled.
Rollover
The CA rollover is the process of transitioning from one Certificate Authority (CA) certificate to another. During the rollover period, both the old and new CA certificates are valid and in use. Once the transition is complete, the old CA certificate is retired, and the new CA certificate takes over entirely.
The system supports rollover of Intermediate-CA certificates. When a new Intermediate-CA is retrieved from the server, it is saved under a unique name, allowing the old certificate to coexist. Every subsequent enrollment or renewal will use the new intermediate for signing. However, both intermediates (old and new) can be used by applications, such as tunnels, when constructing certificate chains.
Rollover of Root-CA certificates is not supported. Any new Root-CA provided by the SCEP server via the getCACert command replaces the existing one.
Configuration
The PKI configuration consists of setting up an enrollment server to be used for one or more certificate enrollments.
Configuring an Enrollment Server
This section describes configuration of an enrollment server.
example:/#> configure example:/config/#> pki example:/config/pki/#> enroll 1 example:/config/pki/enroll-server-1#> show Server # : 1 Label : enroll1 Description : HQ-server Status : Enabled URL : http://myurl.com:8080/scep/generic fingerprint : 0542DFC5F97A4812E18FBA0CAE092E82 fingerprint-alg : md5sum Protocol : SCEP Cipher : AES128-CBC Renew-request : PKCSReq
[no] label <LABEL>-
The label of this enrollment server. The Root-CA certificate downloaded from that server will be given this label. The label can be referenced to from other parts of the system including during certificate enrollment configuration.
- LABEL
- This is the name of the enrollment server.
- no
- Resets label to enroll#.
[no] description [STRING]-
The certificate refers to this label, and it will be shown in lists.
- STRING
- This is a short description of the enrollment server.
- no
- Resets Description to empty string.
[no] enable-
Enables an enrollment server. Status will show result.
- no
- Disables an enrollment server.
[no] url <URL>-
URL to the enrollment server. Consists of scheme, sub domain, top-level domain, second-level domain, sub directory, port.
- URL
- Url of the enrollment server e.g. http
://example.com/certsrv/mscep/mscep.dll - no
- Resets URL to empty string.
[no] fingerprint <HASH>-
The fingerprint of the Root-CA certificate in DER format used for integrity and authenticity check done before enrollment.
- HASH
- The fingerprint is received from admin of enrollment server.
- no
- Resets fingerprint to empty string.
[no] fingerprint-alg <md5|sha1|sha256>-
The algorithm used to calculate the fingerprint of the Root CA certificate. SHA-256 is default as stipulated by RFC 8894.
- The hashing algorithm used to calculate the fingerprint, md5sum, sha1sum, or sha256sum.
- no
- Resets fingerprint-alg to default algorithm, sha256.
[no] protocol <scep>-
Protocol to use to talk to the enrollment server.
- [scep]
- Only SCEP is supported.
- no
- Resets Protocol to default, SCEP.
[no] cipher <aes128-cbc|3des-cbc>-
Type of symmetric encryption when data is sent to the server. AES128-CBC is default as stipulated by RFC 8894.
- Encrypt of data sent to/from the server. Choose one supported by the server.
- no
- Resets Cipher to default AES128-CBC.
[no] renew-request <pkcs-req | renewal-req>-
By default, a PKCSReq message is sent when renewing a certificate. The RFC 8894 standard introduced a dedicated RenewalReq message type. However, some SCEP servers (e.g., OpenXPKI) do not support it and perform renewal using PKCSReq instead of RenewalReq. Windows NDES handles it correctly.
- SCEP protocol command used when renewing a certificate. Choose one supported by the server.
- no
- Resets Renew-request to default PKCSReq.
Configuring an Certificate Enrollment Request
An enrollment request is configured in exec context.
example:/#> pki example:/pki/#> cert example:/pki/cert/#> enroll mycert example:/pki/cert/enroll-mycert/#> show Cert label : mycert Server : enroll1 Password : SecretChallange DN : CN=mycert.co.uk, C=UK Renewal-threshold : 80 % SAN : 192.168.100.101 Keysize : 2048 Profile : tls-server
[no] server <LABEL>-
Label of an already configured server
- CHALLENGE
- This is the name of the enrollment server defined earlier
- no
- Resets to empty string
[no] password [CHALLENGE]-
Challenge password obtained from SCEP server or an administrator. Ensure that it is unique.
- CHALLENGE
- Challenge password string
- no
- Resets to empty string
[no] renewal-threshold <THRESHOLD>-
The setting determines when the system should begin attempting to renew a certificate, based on how much of the certificate’s validity period has already passed.
- THRESHOLD
- The value is specified as a percentage between 0 and 99. For example, if the threshold is set to 80, the system will start the renewal process after 80% of the certificate’s lifetime has elapsed. Setting the value to 0 disables automatic renewal.
[no] dn STRING, [STRING], [...]-
Distinguished Name, subject, of this certificate.
- STRING
- Distinguished name, subject, of this certificate. Comma separated list of subject components e.g. CN=Bob Smith, C=SE, etc. Note that returned certificate might contain different set of components
- no
- Resets to empty string
[no] san [STRING], [STRING], [...]-
Subject Alternate Name (SAN) of this certificate. Comma separated list of SAN components.
- STRING
- SAN components e.g. “dut1.test.com”
- no
- Resets to empty string
[no] key-size <1024|2048|4096>-
Key length / Modulus size
- no
- Resets to default
[no] profile [STRING]-
Certificate profile name or template name to be included in the certificate request. Supported e.g. by the openxpki SCEP server profiles (pc-client, tls-server, etc.) that are translated into corresponding Extended Key Usage (EKU) flags in the generated X.509 certificate OID 1.3.6.1.4.1.311.20.2.
- STRING
- Profile name
- no
- Resets to empty string
Examples
The process of enrolling a certificate