SCEP enrollment
TrustEdge certificate tool provides functionality for certificate enrollment, renewal, and key rekeying using the Simple Certificate Enrollment Protocol (SCEP).
Before you begin
Make sure you understand the following requirements before attempting SCEP enrollment operations.
TrustEdge must be installed on a supported device.
A SCEP endpoint and valid SCEP credentials are required to perform SCEP operations. See DigiCert® IoT Trust Manager Configure SCEP enrollment for more details on setting up a SCEP enrollment profile.
Your device must be able to connect to the SCEP endpoint.
Use cases and examples (command line)
To view the available options for SCEP enrollment, use the following command:
trustedge certificate scep --help
Step 1: Set up the device
Before starting the SCEP enrollment process, you need to set up your device with the necessary files and environment variables.
Set the
SCEP_ENDPOINT
variable. Replace<scep_endpoint_url>
with the actual URL you obtained from IoT Trust Manager.export SCEP_ENDPOINT=<scep_endpoint_url>
Set the
SCEP_PASS
variable. Replace<scep_passcode>
with the actual passcode you obtained from IoT Trust Manager.export SCEP_PASS=<scep_passcode>
Create a
sample_scep_csr.cnf
Certificate Signing Request (CSR) configuration file in the/etc/digicert/Keystore/conf
directory.sudo touch /etc/digicert/Keystore/conf/sample_scep_csr.cnf
Add the following sample CSR content to the
sample_scep_csr.cnf
file.# Subject countryName=US stateOrProvinceName=CA localityName=MV organizationName=DigiCert organizationalUnitName=Engineering commonName=qa-scep-testing-rsa # Requested Extensions isCA=false # certPathLen=-1 keyUsage=digitalSignature keyEncipherment
Make sure all files in the keystore directory are owned by the
trustedge
user and group.sudo chown -R trustedge:trustedge /etc/digicert/Keystore/
Tip
To confirm the creation and ownership of directories and files, use
ls -l -R /etc/digicert/Keystore/
.
Step 2: Download CA certificate
Before you can request a certificate using SCEP enrollment, you first need to download a copy of the Certificate Authority (CA) certificate. The CA certificate is used to create the PEM files moc_CA.pem
, moc_CEP.pem
, and moc_XCHG.pem
, which are used for SCEP communications between your device and DigiCert® IoT Trust Manager.
Download the CA certificate.
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_GET --scepc-challengePass $SCEP_PASS --scepc-pkiOperation GetCACert
Notice
The above command downloads the certificate file
cacert.pem
to thekeystore/ca
folder in the current working directory.Create the files
moc_CA.pem
,moc_CEP.pem
, andmoc_XCHG.pem
in their respective keystore directories.sudo cp /etc/digicert/Keystore/ca/cacert.pem /etc/digicert/Keystore/ca/moc_CA.pem && \ sudo cp /etc/digicert/Keystore/ca/cacert.pem /etc/digicert/Keystore/certs/moc_CEP.pem && \ sudo cp /etc/digicert/Keystore/ca/cacert.pem /etc/digicert/Keystore/certs/moc_XCHG.pem
Make sure all files in the keystore directory are owned by the
trustedge
user and group.sudo chown -R trustedge:trustedge /etc/digicert/Keystore/
Step 3: Enroll a software key
Run the following command to enroll a software key using SCEP.
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq
Command breakdown:
--scepc-serverURL $SCEP_ENDPOINT
: Specifies the URL of the SCEP server endpoint where the CSR will be sent for processing.--scepc-serverType GEN_POST
: Defines the type of server interaction. In this case,GEN_POST
indicates that the CSR will be generated and posted to the SCEP server.--csr-conf sample_scep_csr.cnf
: Points to the name of the CSR configuration file. This file must reside in the<path/to/keystore>/conf/
directory. The configuration file contains details about the CSR, including subject information and key usage.--algorithm RSA
: Specifies the algorithm used for key generation. In this case,RSA
is selected.--size 2048
: Defines the size of the RSA key to be generated, which is set to 2048 bits.--key-alias myGen
: Provides a custom name for the file name stub used for storing keys and certificates. Files will be placed in the<path/to/keystore>/keys
directory. The default stub isGenKey
, but here it is overridden tomyGen
.--scepc-challengePass $SCEP_PASS
: Supplies the challenge password for the SCEP operation, used to authenticate the request.--scepc-pkiOperation PKCSReq
: Specifies the PKI operation type.PKCSReq
indicates that the command is making a request for a Public Key Cryptography Standards (PKCS) certificate.
(Optional) Renew a software key
Run the following command to renew a previously enrolled software key.
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq
Important
In the following command examples, the keystore, CSR, and environment variables have been configured and the CA certificate has been downloaded.
Enroll a TAP key
To enroll a TAP hardware-based key:
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq --tap
Renew a TAP key
To renew a TAP hardware-based key:
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq --tap
Rekey a TAP key with another TAP key
To rekey a TAP key with another TAP key:
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RekeyReq --tap
Enroll a password-protected TAP key
To enroll a password-protected TAP key:
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq --tap --protect
Renew a password-protected TAP key
To renew a password-protected TAP key:
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq --tap --protect --original-key-pw
Rekey a password-protected TAP key with another
To rekey a password-protected TAP key with another TAP key:
sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RekeyReq --tap --protect --original-key-pw