Skip to main content

SCEP enrollment workflow

Before you begin

Make sure you understand the following requirements before attempting SCEP enrollment operations.

  • TrustEdge must be installed on a supported device.

  • A SCEP endpoint and valid SCEP credentials are required to perform SCEP operations.

  • Your device must be able to connect to the SCEP endpoint.

Step 1: Set up the device

Before starting the SCEP enrollment process, you need to set up your device with the necessary files and environment variables.

  1. Set the SCEP_ENDPOINT variable. Replace <scep_endpoint_url> with the actual URL you obtained from IoT Trust Manager.

    export SCEP_ENDPOINT="<scep_endpoint_url>"
  2. Set the SCEP_PASS variable. Replace <scep_passcode> with the actual passcode you obtained from IoT Trust Manager.

    export SCEP_PASS="<scep_passcode>"
  3. Create a sample_scep_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystore/conf directory.

    touch /etc/digicert/keystore/conf/sample_scep_csr.cnf
  4. Add the following sample CSR content to the sample_scep_csr.cnf file.

    # Subject
    countryName=US
    commonName=test-iot-device-001-docs
    stateOrProvinceName=CA
    localityName=MV
    organizationName=DigiCert
    organizationalUnitName=Engineering
    commonName=qa-testing-rsa
    # Requested Extensions
    isCA=false
    # certPathLen=-1
    keyUsage=digitalSignature keyEncipherment
    ##subjectAltNames=numSANs; value1, type1; valueN, typeN
    ##subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Step 2: Download CA certificate

Before you can request a certificate using SCEP enrollment, you first need to download a copy of the Certificate Authority (CA) certificate. The CA certificate is used to create the PEM files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem, which are used for SCEP communications between your device and DigiCert​​®​​ IoT Trust Manager.

  1. Download the CA certificate.

    trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_GET --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation GetCACert

    Notice

    The above command downloads the certificate file cacert.pem to the /etc/digicert/keystore/ca directory.

  2. Create the files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem in their respective keystore directories.

    cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/ca/moc_CA.pem && \
    cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/certs/moc_CEP.pem && \
    cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/certs/moc_XCHG.pem

Step 3: Enroll a software key

Run the following command to enroll a software key using SCEP.

trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation PKCSReq

Command breakdown:

  • --scepc-serverURL $SCEP_ENDPOINT: Specifies the URL of the SCEP server endpoint where the CSR will be sent for processing.

  • --scepc-serverType GEN_POST: Defines the type of server interaction. In this case, GEN_POST indicates that the CSR will be generated and posted to the SCEP server.

  • --csr-conf sample_scep_csr.cnf: Points to the name of the CSR configuration file. This file must reside in the <path/to/keystore>/conf/ directory. The configuration file contains details about the CSR, including subject information and key usage.

  • --algorithm RSA: Specifies the algorithm used for key generation. In this case, RSA is selected.

  • --size 2048: Defines the size of the RSA key to be generated, which is set to 2048 bits.

  • --key-alias myGen: Provides a custom name for the file name stub used for storing keys and certificates. Files will be placed in the <path/to/keystore>/keys directory. The default stub is GenKey, but here it is overridden to myGen.

  • --scepc-challengePass $SCEP_PASS: Supplies the challenge password for the SCEP operation, used to authenticate the request.

  • --scepc-pkiOperation PKCSReq: Specifies the PKI operation type. PKCSReq indicates that the command is making a request for a Public Key Cryptography Standards (PKCS) certificate.

(Optional) Renew a software key

Run the following command to renew a previously enrolled software key.

trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation RenewalReq