SCEP Operations Guide

This page describes operations on using SCEP with EJBCA. For an overview of EJBCA capabilities with SCEP, see the SCEP overview. 

Configuring SCEP 

The SCEP URL is http://HOST:PORT/ejbca/publicweb/apply/scep/ALIAS/pkiclient.exe.

The URL contains a reference to a configuration alias 'ALIAS'. 'ALIAS' is an alphanumeric string that refers to the set of SCEP configurations that should be used when handling the SCEP request coming through this URL. It is possible to configure as many configuration aliases as desired using the command line or the CA UI.

Creating a SCEP alias with the name scep makes it available using the default URL (the same URL as in previous versions), http://HOST:PORT/ejbca/publicweb/apply/scep/pkiclient.exe.

Configuring SCEP in the CA UI 

To configure SCEP using the CA UI, select System Functions → SCEP Configuration.

Note that you need /edit_systemconfiguration access to be able to edit the SCEP configuration. For more information, see Access Rules.

Configuring SCEP on the  Command Line Interface

For information on creating and configuring the SCEP aliases using the command line, run the following command from the EJBCA home directory.

Creating a SCEP alias with the name scep makes it available using the default URL (the same URL as in previous versions), http://HOST:PORT/ejbca/publicweb/apply/scep/pkiclient.exe.

$ bin/ejbca.sh config scep

Alias Properties

In CA Mode, EJBCA expects end entities to be manually created and for the SCEP client to merely enroll for certificates. 

CA Mode

Properties

PropertyDescription
Include CA certificate in responseSet to true for the CA certificate to be transmitted back as a part of the response.
Allow Client Certificate Renewal (Enterprise Edition):Set to true in order to perform client certificate renewal, where an enrollment request which comes in at half the certificate's validity will automatically result in a new certificate being issued.
Allow Client Certificate Renewal using old key (Enterprise Edition):Set to true in order to allow client certificate renewal to be performed on existing keys. 

RA Mode

ENTERPRISE  This is an EJBCA Enterprise feature.

In RA Mode, EJBCA does not require the end entity to be enrolled but will instead create it as a part of the issuance process.

Properties

PropertyDescription
Include CA certificate in responseSet to true for the CA certificate to be transmitted back as a part of the response.

Authenticate through Microsoft Intune

Validates SCEP requests with Microsoft Intune (see RA Mode with Microsoft Intune Support). 
RA End Entity ProfileThe end entity profile to use for the enrolled end entity.
RA Certificate ProfileThe certificate profile to use for the enrolled end entity.
RA CA NameThe CA to enroll the end entity under.
RA authentication passwordAn authentication password to require in the request.
RA name generation schemeHow to generate the end entity username. 
RA name generation parametersWhat to base the end entity username off of. It can be a part of the DN, the complete Subject DN, randomized or fixed.
RA name generation prefixA general prefix to prepend on end entity usernames.
RA name generation postfixA general postfix to append on end entity usernames.

RA Mode with Microsoft Intune Support

ENTERPRISE  This is an EJBCA Enterprise feature.

While in RA Mode, EJBCA can also use Microsoft Intune to validate SCEP requests. Enabling Authenticate through Microsoft Intune adds Intune specific configuration properties. As you can see in the example configuration below, selecting to authenticate through Intune disables the RA authentication password field, since the password is checked with Intune instead.

Properties

NameDescription
Application ID from AzureApplication ID obtained by creating a new Application Registration. See Configure Intune for steps to obtain the Application ID.
Application API Secret from Azure

API secret obtained by creating a secret in the application that was registered. See Configure Intune for steps to obtain the API secret.

The auto-generated password may contain a ~ character. EJBCA does not support passwords with this character. Please regenerate the password so it does not contain the ~ character. 


Intune TenantThe Intune Tenant is the domain name of the user account used to login to Microsoft Azure.  If the account domain name is admin@primekey.com the Intune tenant would be primekey.com.
EJBCA Proxy HostThe host that the proxy is hosted on that clients point to for Internet access.
EJBCA Proxy PortThe port number of the proxy that clients point to for Internet access.
EJBCA Proxy UserThe username of the account used to login to the proxy if the proxy is configured for basic authentication.
EJBCA Proxy PasswordThe password of the account used to login to the proxy if the proxy is configured for basic authentication.

Sample Client Messages

While many SCEP clients exist (as listed on the SCEP overview page), many use cases require writing custom clients. Using the BouncyCastle crypto libraries, we've produced some sample implementations in Java if you need some help in getting going. For more information, see SCEP Client Support.