Certificate handling with SCEP
Configuring the SCEP ini file
Note:
You can use the example file on the devices to configure the SCEP agent: /setup/scep/scep.ini.sample
-
Create the text file scep.ini. Then insert the sections and make the entries described below.
-
To transfer the configuration file scep.ini to the devices under /setup/scep/, use the Scout feature Files configured for transfer. For further information, see Advanced device configuration > Files in the Scout guide.
The certificate request is created from the scep.ini data. You can optionally extend the certificate request with additional attributes. For further information, see Extended SCEP certificate request.
Sections and entries for scep.ini
| Section | Entry | Description | Example |
|---|---|---|---|
| Admin | URI | SCEP server address (URI) | URI=http://ca.w2k12.sampletec-01.com/certsrv/mscep/ |
| PROXY | Proxy server (optional) | PROXY=proxy.sampletec-01.com:3800 | |
| ReNew | Number of days before the certificate expires and the device requests a new certificate (time span for renewal) From this day on, the client tries to renew the certificate. The value must be less than the validity period of the certificate. | ReNew=30 (default) | |
| ReNewCheckOnlyClient1 from eLux RP 6 2302.1000 | Alternative option to ReNew: Unlike ReNew, only the client certificate is checked, but not CA and RA certificates | ReNew=30 (Standard) | |
| ExpireCheck | Time interval in days, how often the ReNew date is checked | ExpireCheck=1 (default) | |
| challengePassword | One-time password for the request Valid for 60 minutes once only The password is deleted after the certificates have been successfully transferred. | (A): challengePassword=12345 (B): challengePassword=<password requested via http://CA_FQDN/certsrv/mscep_admin/> |
| Certificate
|
CNTYPE
|
Type (autoip,ip,dns,autodns,dnsfqdn,email) | CNTYPE=email
|
| autoip - The IP address of the device is used as CN. | |||
| ip - The IP address you specify as CN in the scep.ini (see next option) is used. | |||
| dns - The name you specify as CN in the scep.ini (see next option) is used. | |||
| autodns - The host name specified in the terminal.ini is used as CN. | |||
| dnsfqdn - The host name specified in the terminal.ini with the domain name appended is used as CN. | |||
| email - The email address you specify as CN in the scep.ini (see next option) is used. | |||
| CN | Certificate/Name Is filled by the system for CNTYPE=autoip,autodns,dnsfqdn | CN=userxxx@sampletec-01.com |
|
| OU | Certificate/Attribute (optional)
|
OU=TestLab | |
| ORGANIZATION | ORGANIZATION=SampleTec | ||
| LOCALITY | LOCALITY=Karlsruhe | ||
| STATE | STATE=BW | ||
| OU1 | Further attributes for up to 6 OUs (optional).The OUs specified here can be used for a certificate request
|
OU1=Testlab | |
| OU2 | OU2=KA_QA | ||
| OU3 | OU3=KA_DEV
|
||
| OU4 | |||
| OU5 | |||
| OU6 | |||
| COUNTRY | Certificate/Country | COUNTRY=DE | |
| KEYLEN | Key length (from certificate template) Allowed values: 2048 or 4096 An incorrect key length leads to the event log entry Incorrect Challenge Password If a 4096 key cannot be generated in the TPM (for TPM 2.0 and UseTPM2), as a fallback a 4k RSA key is generated in the file system. | KEYLEN=2048 | |
| CertStore | The certificate store can be freely selected. This parameter allows you to specify a new directory that the SCEP agent creates on the device. If you specify the default path /setup/cacerts/scep, the private key for the SCEP client certificate for TPM 2.0 devices is stored in the TPM 2.0 module. | CertStore=/setup/cacerts/scep |
Additional information
- The storage location can be defined individually for each certificate file.
The three file storage parameters have higher priority than the CertStore parameter. The specified directories must exist. Client certificate files can be merged.
- Access rights can be defined for the private key (if in file system).
- Certificates can be checked for validity according to the certificate revocation list (CRL)2 from eLux RP 6 2101
| Certificate
|
CA_Path | Path and file name of the server CA certificate | CA_Path=/setup/cacerts/scep/serverca.pem (default) |
| Client_Path | Path and file name of the client certificate | Client_Path=/setup/cacerts/scep/client.pem (default) | |
| ClientKey_Path | Path and file name of the private key file of the client certificate | ClientKey_Path=/setup/cacerts/scep/client.key (default) |
Note:
Specify the same value for Client_Path and ClientKey_Path, for example
/setup/cacerts/scep/client.pem, if you want to merge the two files.
| RA_Path | Path and file name of the RADIUS server certificate | /setup/cacerts/scep/serverra.pem (default) | |
| MODE | For additional use of a RADIUS server certificate: RA Allowed values: CA (default), RA | CA | |
| ClientKey_Permission | Access rights for the private key file,0400 - Can only be read with root rights (default), 0444 - Can also be read by users | ClientKey_Permission=0400 | |
| UseTPM2 | For devices with TPM 2.0 chip From eLux RP 6 2101: The private key is generated in the TPM 2.0 module and remains there. eLux RP 6.10 and 11: The private key file is stored in the TPM 2.0 chip. Allowed values: false (/en-us/unicon-elux-scout/short_guides/scep/scep_config_elux/scep_config_certificate.html). | UseTPM2=true | |
| TPM2Fallback3 from eLux RP 6 2204 | If the private key cannot be stored in the TPM 2.0 module (for example, on devices with other TPM versions), it is stored in the file system. Allowed values: true (default), false false: There is no fallback. On devices without TPM 2.0, the key is not stored at all. | TPM2Fallback=true | |
| CrlCheck4 from eLux RP 6 2101 | Optionally, specify up to five certificates (in addition to CA_Path, Client_Path and RA_Path) you want the SCEP agent to check for validity according to CRLs. The check is done each time a connection is set up. If the connection remains active for longer, the check is carried out after the time interval you set under ExpireCheck. | CrlCheck1=/setup/cacerts/myrootca.pem CrlCheck2=/setup/cacerts/myintermediate.pem | |
| CrlCheckEnabled5 from eLux RP 6 2110 | true (default): All certificates are checked for validity according to CRLs false: No revocation check is done. | CrlCheckEnabled=true | |
| FirstCrlOnly6 from eLux RP 6 2204 | true: If multiple CRLs are registered, only the first one is downloaded and checked. This reduces the load on the PKI infrastructure. false (default): All existing CRLs are downloaded and checked. | FirstCrlOnly=true |
Configuring the SCEP ini file
Copied!
Failed!