Skip to main content

SCEP command

When run with the necessary options, the trustedge certificate scep command provides functionality for certificate enrollment, renewal, and key rekeying using the Simple Certificate Enrollment Protocol (SCEP).

Before you begin

Make sure you understand the following requirements before attempting SCEP enrollment operations.

Use cases and examples

To view the available options for the trustedge certificate scep command, use the following:

trustedge certificate scep --help

Step 1: Set up the device

Before starting the SCEP enrollment process, you need to set up your device with the necessary directories and environment variables.

  1. Set the SCEP_ENDPOINT variable. Replace <scep_endpoint_url> with the actual URL you obtained from IoT Trust Manager.

    export SCEP_ENDPOINT=<scep_endpoint_url>
  2. Set the SCEP_PASS variable. Replace <scep_passcode> with the actual passcode you obtained from IoT Trust Manager.

    export SCEP_PASS=<scep_passcode>
  3. Check your current working directory. This is where the keystore directory will be created.

    Note

    If you need to navigate to a different directory, use the cd command.

  4. After confirming or changing your working directory, create the necessary keystore structure.

    mkdir -p keystore/{ca,certs,keys,conf,req}

    This command will create the keystore directory in your current working directory. It also creates the following subdirectories as specified in the curly brackets:

    • ca: Location for CA certificate.

    • certs: Location for CEP or RA certificate and XCHG certificate.

    • keys: Generated keys are saved here.

    • conf: Location for Certificate Signing Request (CSR) configuration file (.cnf).

    • req: Signed certificate request is saved here.

  5. Use the following command to create the Certificate Signing Request (CSR) configuration file sample_scep_csr.cnf in the keystore/conf directory.

    echo "# Subject
    countryName=US
    stateOrProvinceName=CA
    localityName=MV
    organizationName=DigiCert
    organizationalUnitName=Engineering
    commonName=qa-scep-testing-rsa
    # Requested Extensions
    isCA=false
    # certPathLen=-1
    keyUsage=digitalSignature keyEncipherment" > keystore/conf/sample_scep_csr.cnf

    Tip

    To confirm the creation of directories and files, you can use the ls -l keystore/* command.

Step 2: Download CA certificate

Before you can request a certificate using SCEP enrollment, you first need to download a copy of the Certificate Authority (CA) certificate. The CA certificate is used to create the PEM files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem, which are used for SCEP communications between your device and DigiCert​​®​​ IoT Trust Manager.

  1. Download the CA certificate.

    trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_GET --key-store-path keystore/ --scepc-challengePass $SCEP_PASS --scepc-pkiOperation GetCACert

    Notice

    The above command downloads the certificate file cacert.pem to the keystore/ca folder in the current working directory.

  2. Create the files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem in their respective keystore directories.

    cp keystore/ca/cacert.pem keystore/ca/moc_CA.pem && \
    cp keystore/ca/cacert.pem keystore/certs/moc_CEP.pem && \
    cp keystore/ca/cacert.pem keystore/certs/moc_XCHG.pem

Step 3: Enroll a software key

Run the following command to enroll a software key using SCEP.

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq

Command breakdown:

  • --scepc-serverURL $SCEP_ENDPOINT: Specifies the URL of the SCEP server endpoint where the CSR will be sent for processing.

  • --scepc-serverType GEN_POST: Defines the type of server interaction. In this case, GEN_POST indicates that the CSR will be generated and posted to the SCEP server.

  • --key-store-path keystore/: Indicates the path to the keystore directory where the necessary keys and certificates are stored. This keystore is used to store the generated keys and the returned certificates.

  • --csr-conf sample_scep_csr.cnf: Points to the name of the CSR configuration file. This file must reside in the <path/to/keystore>/conf/ directory. The configuration file contains details about the CSR, including subject information and key usage.

  • --algorithm RSA: Specifies the algorithm used for key generation. In this case, RSA is selected.

  • --size 2048: Defines the size of the RSA key to be generated, which is set to 2048 bits.

  • --key-alias myGen: Provides a custom name for the file name stub used for storing keys and certificates. Files will be placed in the <path/to/keystore>/keys directory. The default stub is GenKey, but here it is overridden to myGen.

  • --scepc-challengePass $SCEP_PASS: Supplies the challenge password for the SCEP operation, used to authenticate the request.

  • --scepc-pkiOperation PKCSReq: Specifies the PKI operation type. PKCSReq indicates that the command is making a request for a Public Key Cryptography Standards (PKCS) certificate.

(Optional) Renew a software key

Run the following command to renew a previously enrolled software key.

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq

Enroll a TAP key

To enroll a TAP hardware-based key:

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq --tap

Renew a TAP key

To renew a TAP hardware-based key:

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq --tap

Rekey a TAP key with another TAP key

To rekey a TAP key with another TAP key:

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RekeyReq --tap

Enroll a password-protected TAP key

To enroll a password-protected TAP key:

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq --tap --protect

Renew a password-protected TAP key

To renew a password-protected TAP key:

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq --tap --protect --original-key-pw

Rekey a password-protected TAP key with another

To rekey a password-protected TAP key with another TAP key:

trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --key-store-path keystore/ --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RekeyReq --tap --protect --original-key-pw