Skip to main content

SCEP enrollment

TrustEdge certificate tool provides functionality for certificate enrollment, renewal, and key rekeying using the Simple Certificate Enrollment Protocol (SCEP).

Before you begin

Make sure you understand the following requirements before attempting SCEP enrollment operations.

Use cases and examples (command line)

To view the available options for SCEP enrollment, use the following command:

trustedge certificate scep --help

Step 1: Set up the device

Before starting the SCEP enrollment process, you need to set up your device with the necessary files and environment variables.

  1. Set the SCEP_ENDPOINT variable. Replace <scep_endpoint_url> with the actual URL you obtained from IoT Trust Manager.

    export SCEP_ENDPOINT=<scep_endpoint_url>
  2. Set the SCEP_PASS variable. Replace <scep_passcode> with the actual passcode you obtained from IoT Trust Manager.

    export SCEP_PASS=<scep_passcode>
  3. Create a sample_scep_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/Keystore/conf directory.

    sudo touch /etc/digicert/Keystore/conf/sample_scep_csr.cnf
  4. Add the following sample CSR content to the sample_scep_csr.cnf file.

    # Subject
    countryName=US
    stateOrProvinceName=CA
    localityName=MV
    organizationName=DigiCert
    organizationalUnitName=Engineering
    commonName=qa-scep-testing-rsa
    # Requested Extensions
    isCA=false
    # certPathLen=-1
    keyUsage=digitalSignature keyEncipherment
  5. Make sure all files in the keystore directory are owned by the trustedge user and group.

    sudo chown -R trustedge:trustedge /etc/digicert/Keystore/

    Tip

    To confirm the creation and ownership of directories and files, use ls -l -R /etc/digicert/Keystore/.

Step 2: Download CA certificate

Before you can request a certificate using SCEP enrollment, you first need to download a copy of the Certificate Authority (CA) certificate. The CA certificate is used to create the PEM files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem, which are used for SCEP communications between your device and DigiCert​​®​​ IoT Trust Manager.

  1. Download the CA certificate.

    sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_GET --scepc-challengePass $SCEP_PASS --scepc-pkiOperation GetCACert

    Notice

    The above command downloads the certificate file cacert.pem to the keystore/ca folder in the current working directory.

  2. Create the files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem in their respective keystore directories.

    sudo cp /etc/digicert/Keystore/ca/cacert.pem /etc/digicert/Keystore/ca/moc_CA.pem && \
    sudo cp /etc/digicert/Keystore/ca/cacert.pem /etc/digicert/Keystore/certs/moc_CEP.pem && \
    sudo cp /etc/digicert/Keystore/ca/cacert.pem /etc/digicert/Keystore/certs/moc_XCHG.pem
  3. Make sure all files in the keystore directory are owned by the trustedge user and group.

    sudo chown -R trustedge:trustedge /etc/digicert/Keystore/

Step 3: Enroll a software key

Run the following command to enroll a software key using SCEP.

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq

Command breakdown:

  • --scepc-serverURL $SCEP_ENDPOINT: Specifies the URL of the SCEP server endpoint where the CSR will be sent for processing.

  • --scepc-serverType GEN_POST: Defines the type of server interaction. In this case, GEN_POST indicates that the CSR will be generated and posted to the SCEP server.

  • --csr-conf sample_scep_csr.cnf: Points to the name of the CSR configuration file. This file must reside in the <path/to/keystore>/conf/ directory. The configuration file contains details about the CSR, including subject information and key usage.

  • --algorithm RSA: Specifies the algorithm used for key generation. In this case, RSA is selected.

  • --size 2048: Defines the size of the RSA key to be generated, which is set to 2048 bits.

  • --key-alias myGen: Provides a custom name for the file name stub used for storing keys and certificates. Files will be placed in the <path/to/keystore>/keys directory. The default stub is GenKey, but here it is overridden to myGen.

  • --scepc-challengePass $SCEP_PASS: Supplies the challenge password for the SCEP operation, used to authenticate the request.

  • --scepc-pkiOperation PKCSReq: Specifies the PKI operation type. PKCSReq indicates that the command is making a request for a Public Key Cryptography Standards (PKCS) certificate.

(Optional) Renew a software key

Run the following command to renew a previously enrolled software key.

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq

Enroll a TAP key

To enroll a TAP hardware-based key:

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq --tap

Renew a TAP key

To renew a TAP hardware-based key:

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq --tap

Rekey a TAP key with another TAP key

To rekey a TAP key with another TAP key:

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTap --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RekeyReq --tap

Enroll a password-protected TAP key

To enroll a password-protected TAP key:

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation PKCSReq --tap --protect

Renew a password-protected TAP key

To renew a password-protected TAP key:

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RenewalReq --tap --protect --original-key-pw

Rekey a password-protected TAP key with another

To rekey a password-protected TAP key with another TAP key:

sudo -u trustedge trustedge certificate scep --scepc-serverURL $SCEP_ENDPOINT --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGenTapPw --scepc-challengePass $SCEP_PASS --scepc-pkiOperation RekeyReq --tap --protect --original-key-pw