Skip to main content

SCEP client

The Simple Certificate Enrollment Protocol (SCEP) automates X.509 certificate lifecycle operations using Cryptographic Message Syntax (CMS) and PKCS#10 formats. NanoCert SCEP client implements all messages defined in RFC 8894, including PKCSReq, GetCert, GetCRL, GetCACert, and GetCACaps .

Note

While many deployments use only RSA keys, RFC 8894 also allows ECDSA and other algorithms via encrypted challenge-password CSRs.

Most SCEP client operations follow a straightforward request-response pattern:

  1. The client sends a request to the server

  2. The server processes the request

  3. The client receives and processes the response

Request-response operations

Almost all SCEP operations follow this simple request-response sequence. The client sends a request to the server and then waits for the server to respond with the requested information or confirmation.

Special case: Manual enrollment requests

There is one exception to this pattern: when a client sends a Certificate Enrollment request to a server configured for manual identity authentication. In this scenario:

  1. The client sends an enrollment request

  2. The server responds with a PENDING status

  3. The client must poll the server periodically until one of these conditions is met:

    • The request times out

    • The certificate is issued

    • The request is rejected

Note

The timeout logic must be defined in your application code. You can:

  • Set a timeout in the TCP read operation using TCP_READ_AVL.

  • Control the time between polling cycles using RTOS_sleepMS or equivalent.

  • Configure either a limit on polling attempts or allow unlimited retries.

Supported operations

NanoCert SCEP client implements all operations defined in the SCEP specification:

  • PKI (public key infrastructure) operations:

    • PKCSReq - Request a new certificate

    • GetCertInitial - Check the status of a pending certificate request

    • GetCert - Retrieve a certificate

    • GetCRL - Obtain a Certificate Revocation List

  • Plain text operations:

    • GetCACert - Retrieve the CA certificate

    • GetNextCACert - Retrieve the CA’s next certificate (for CA renewal)

    • GetCACertChain - Obtain the complete CA certificate chain

    • GetCACaps - Discover the CA’s capabilities

Operation requirements

All SCEP client operations require the URL of the SCEP service offered by the Certificate Authority (CA) or Registration Authority (RA).

For PKI operations, the end entity must know:

  • Its own name and private key

  • CA and RA certificates (if an RA is present)

  • The pre-shared secret, if using automatic enrollment

Depending on the SCEP server implementation, plain text operations may require:

  • CA identifier (often the CA common name)

For example, EJBCA (http://ejbca.org/) requires the identity to be the CA common name, while Microsoft Windows Certificate Services with SCEP Add-on doesn’t verify the identity.

Build instructions and sample code

To help you integrate NanoCert SCEP client into your devices, DigiCert​​®​​ provides sample code in the source distribution. You can find the sample code here:

  • src/scep

This sample code demonstrates NanoCert features and serves as a reference for your own implementation.

Tip

Use the sample code build script. See NanoCert SCEP client sample code build instructions below.

Build and install

From your development environment, change into TrustCore SDK's root directory where NanoCert samples reside:

cd <path-to>/mocn-mss

Use the provided script to compile the SCEP client and its dependencies:

./scripts/scep/build_scep_client_ncrypto_tap.sh --debug --digicert

This produces the scep_client binary and required libraries.

Prepare your keystore directory

Create a keystore directory. You will reference this directory in your SCEP commands:

mkdir -p path/to/scep/keystore

Command-line interface

Important

Make sure you you have completed NanoCert SCEP sample code build instructions above before using the SCEP command-line interface.

NanoCert SCEP client includes a command-line interface (CLI) that demonstrates the functionality and serves as a reference implementation. Understanding the command-line options provides insight into the capabilities and configuration parameters of the SCEP client.

Sample CSR attributes file

Certificate signing requests (CSRs) contain information about the entity requesting the certificate. NanoCert allows this information to be specified in a configuration file.

Here’s an example CSR attributes file (sample_scep_csr.cnf):

#Subject
countryName=US
commonName=scepclient
stateOrProvinceName=California
localityName=San Francisco
organizationName=Mocana Corporation
organizationalUnitName=Engineering

#Attributes

#Requested Extensions
hasBasicContraints=true
isCA=false
certPathLen=-1
keyUsage=digitalSignature, keyEncipherment

This file defines the subject information and requested extensions for the certificate. You can customize these values according to your requirements.

Options

List all available SCEP client CLI options:

./bin/scep_client --help

Key parameters include:

  • -scepc_serverURL <URL>: Full SCEP endpoint

  • -scepc_serverType <GEN_POST|…>: Request encoding (for example, GEN_POST)

  • -scepc_filePath <keystore-dir>: Directory of CA/RA certs

  • -scepc_keyType <RSA|ECDSA> and -scepc_keySize <bits>

  • -scepc_keySource <SW|TPM2>

  • -scepc_challengePass <password>: Required for authenticated enrollment

  • -scepc_pkiOperation <getca|getcacaps|enroll|renew|…>

Usage example

Get SCEP CA certificates:

./bin/scep_client \
  -scepc_serverURL https://demo.one.digicert.com/iot/api/v1/scep/IOT_7f03c28-ed55-4d3-b49b-2bc5cbc58be \
  -scepc_serverType GEN_POST \
  -scepc_filePath <path/to/scep/keystore> \
  -scepc_pkiOperation getca

Get SCEP CA capabilities:

./bin/scep_client \
  -scepc_serverURL https://demo.one.digicert.com/iot/api/v1/scep/IOT_7f03c28-ed55-4d3-b49b-2bc5cbc58be \
  -scepc_serverType GEN_POST \
  -scepc_filePath <path/to/scep/keystore> \
  -scepc_pkiOperation getcacaps

Enroll a certificate with SW-RSA (2048 bits):

./bin/scep_client \
  -scepc_serverURL https://demo.one.digicert.com/iot/api/v1/scep/IOT_7f03c28-ed55-4d3-b49b-2bc5cbc58be \
  -scepc_serverType GEN_POST \
  -scepc_filePath <path/to/scep/keystore> \
  -scepc_keyType RSA \
  -scepc_keySize 2048 \
  -scepc_csr_conf sample_scep_csr.cnf \
  -scepc_genKey \
  -scepc_challengePass MySecret123 \
  -scepc_pkiOperation enroll

Renew existing certificate:

./bin/scep_client \
  -scepc_serverURL https://demo.one.digicert.com/iot/api/v1/scep/IOT_7f03c28-ed55-4d3-b49b-2bc5cbc58be \
  -scepc_serverType GEN_POST \
  -scepc_filePath <path/to/scep/keystore> \
  -scepc_challengePass MySecret123 \
  -scepc_oldKey GenKeyBlob \
  -scepc_oldCert requester_cert.der \
  -scepc_pkiOperation renew

Enroll a certificate with TAP RSA key:

./bin/scep_client \
  -scepc_serverURL http://demo.one.digicert.com/iot/api/v1/scep/IOT_7f03c128-ed55-4d73-b49b-2bc5cabc58be \
  -scepc_serverType GEN_POST \
  -scepc_filePath <path/to/scep/keystore> \
  -scepc_keyType RSA \
  -scepc_keySize 2048 \
  -scepc_csr_conf sample_scep_csr.cnf \
  -scepc_genKey \
  -scepc_keySource TPM2 \
  -scepc_challengePass MySecret123 \
  -scepc_pkiOperation enroll

Note

NanoTAP 2.0 and NanoSMP for TPM 2.0 support both RSA and non‑RSA keys at the code level; however, DigiCert​​®​​ IoT SCEP server currently only accepts RSA‑based enrollments over SCEP.

In this section: