SCEP enrollment workflow
Before you begin
Make sure you understand the following requirements before attempting SCEP enrollment operations.
TrustEdge must be installed on a supported device.
A SCEP endpoint and valid SCEP credentials are required to perform SCEP operations.
If using DigiCert® IoT Trust Manager, see Configure SCEP enrollment.
If using DigiCert® Device Trust Manager, make sure you have a certificate management policy with the SCEP certificate management method enabled.
Your device must be able to connect to the SCEP endpoint.
Step 1: Set up the device
Before starting the SCEP enrollment process, you need to set up your device with the necessary files and environment variables.
Set the
SCEP_ENDPOINT
variable. Replace<scep_endpoint_url>
with the actual URL you obtained from IoT Trust Manager.export SCEP_ENDPOINT="<scep_endpoint_url>"
Set the
SCEP_PASS
variable. Replace<scep_passcode>
with the actual passcode you obtained from IoT Trust Manager.export SCEP_PASS="<scep_passcode>"
Create a
sample_scep_csr.cnf
Certificate Signing Request (CSR) configuration file in the/etc/digicert/keystore/conf
directory.touch /etc/digicert/keystore/conf/sample_scep_csr.cnf
Add the following sample CSR content to the
sample_scep_csr.cnf
file.# Subject countryName=US commonName=test-iot-device-001-docs stateOrProvinceName=CA localityName=MV organizationName=DigiCert organizationalUnitName=Engineering commonName=qa-testing-rsa # Requested Extensions isCA=false # certPathLen=-1 keyUsage=digitalSignature keyEncipherment ##subjectAltNames=numSANs; value1, type1; valueN, typeN ##subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
Step 2: Download CA certificate
Before you can request a certificate using SCEP enrollment, you first need to download a copy of the Certificate Authority (CA) certificate. The CA certificate is used to create the PEM files moc_CA.pem
, moc_CEP.pem
, and moc_XCHG.pem
, which are used for SCEP communications between your device and DigiCert® IoT Trust Manager.
Download the CA certificate.
trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_GET --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation GetCACert
Notice
The above command downloads the certificate file
cacert.pem
to the/etc/digicert/keystore/ca
directory.Create the files
moc_CA.pem
,moc_CEP.pem
, andmoc_XCHG.pem
in their respective keystore directories.cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/ca/moc_CA.pem && \ cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/certs/moc_CEP.pem && \ cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/certs/moc_XCHG.pem
Step 3: Enroll a software key
Run the following command to enroll a software key using SCEP.
trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation PKCSReq
Command breakdown:
--scepc-serverURL $SCEP_ENDPOINT
: Specifies the URL of the SCEP server endpoint where the CSR will be sent for processing.--scepc-serverType GEN_POST
: Defines the type of server interaction. In this case,GEN_POST
indicates that the CSR will be generated and posted to the SCEP server.--csr-conf sample_scep_csr.cnf
: Points to the name of the CSR configuration file. This file must reside in the<path/to/keystore>/conf/
directory. The configuration file contains details about the CSR, including subject information and key usage.--algorithm RSA
: Specifies the algorithm used for key generation. In this case,RSA
is selected.--size 2048
: Defines the size of the RSA key to be generated, which is set to 2048 bits.--key-alias myGen
: Provides a custom name for the file name stub used for storing keys and certificates. Files will be placed in the<path/to/keystore>/keys
directory. The default stub isGenKey
, but here it is overridden tomyGen
.--scepc-challengePass $SCEP_PASS
: Supplies the challenge password for the SCEP operation, used to authenticate the request.--scepc-pkiOperation PKCSReq
: Specifies the PKI operation type.PKCSReq
indicates that the command is making a request for a Public Key Cryptography Standards (PKCS) certificate.
(Optional) Renew a software key
Run the following command to renew a previously enrolled software key.
trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation RenewalReq