SCEP enrollment workflow

Before you begin

Make sure you understand the following:

TrustEdge must be installed on a supported device.
The user running TrustEdge CLI commands must be a member of the trustedge group.
- Use groups "$(whoami)" to see group membership.
- Use sudo adduser "$(whoami)" trustedge to add your user to the trustedge group.
A SCEP endpoint and valid SCEP credentials are required to perform SCEP operations.
- If using DigiCert® IoT Trust Manager, see Configure SCEP enrollment.
- If using DigiCert® Device Trust Manager, make sure you have a certificate management policy with the SCEP certificate management method enabled.
Your device must be able to connect to the SCEP endpoint.

Step 1: Set up the device

Before starting the SCEP enrollment process, you need to set up your device with the necessary files and environment variables.

Set the SCEP_ENDPOINT variable. Replace <scep_endpoint_url> with the actual URL you obtained from IoT Trust Manager.
```
export SCEP_ENDPOINT="<scep_endpoint_url>"
```
Set the SCEP_PASS variable. Replace <scep_passcode> with the actual passcode you obtained from IoT Trust Manager.
```
export SCEP_PASS="<scep_passcode>"
```
Create a sample_scep_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystore/conf directory.
```
touch /etc/digicert/keystore/conf/sample_scep_csr.cnf
```

Add the following sample CSR content to the sample_scep_csr.cnf file.

# Subject
countryName=US
commonName=test-iot-device-001-docs
stateOrProvinceName=CA
localityName=MV
organizationName=DigiCert
organizationalUnitName=Engineering
# Requested Extensions
isCA=false
# certPathLen=-1
keyUsage=digitalSignature keyEncipherment
##subjectAltNames=numSANs; value1, type1; valueN, typeN
##subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Step 2: Download CA certificate

Before you can request a certificate using SCEP enrollment, you first need to download a copy of the Certificate Authority (CA) certificate. The CA certificate is used to create the PEM files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem, which are used for SCEP communications between your device and DigiCert® IoT Trust Manager.

Download the CA certificate.

trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_GET --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation GetCACert

Notice

The above command downloads the certificate file cacert.pem to the /etc/digicert/keystore/ca directory.

Create the files moc_CA.pem, moc_CEP.pem, and moc_XCHG.pem in their respective keystore directories.

cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/ca/moc_CA.pem && \
cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/certs/moc_CEP.pem && \
cp /etc/digicert/keystore/ca/cacert.pem /etc/digicert/keystore/certs/moc_XCHG.pem

Step 3: Enroll a software key

Run the following command to enroll a software key using SCEP.

trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation PKCSReq

Command breakdown:

--scepc-serverURL $SCEP_ENDPOINT: Specifies the URL of the SCEP server endpoint where the CSR will be sent for processing.
--scepc-serverType GEN_POST: Defines the type of server interaction. In this case, GEN_POST indicates that the CSR will be generated and posted to the SCEP server.
--csr-conf sample_scep_csr.cnf: Points to the name of the CSR configuration file. This file must reside in the <path/to/keystore>/conf/ directory. The configuration file contains details about the CSR, including subject information and key usage.
--algorithm RSA: Specifies the algorithm used for key generation. In this case, RSA is selected.
--size 2048: Defines the size of the RSA key to be generated, which is set to 2048 bits.
--key-alias myGen: Provides a custom name for the file name stub used for storing keys and certificates. Files will be placed in the <path/to/keystore>/keys directory. The default stub is GenKey, but here it is overridden to myGen.
--scepc-challengePass $SCEP_PASS: Supplies the challenge password for the SCEP operation, used to authenticate the request.
--scepc-pkiOperation PKCSReq: Specifies the PKI operation type. PKCSReq indicates that the command is making a request for a Public Key Cryptography Standards (PKCS) certificate.

(Optional) Renew a software key

Run the following command to renew a previously enrolled software key.

trustedge certificate scep --scepc-serverURL ${SCEP_ENDPOINT} --scepc-serverType GEN_POST --csr-conf sample_scep_csr.cnf --algorithm RSA --size 2048 --key-alias myGen --scepc-challengePass ${SCEP_PASS} --scepc-pkiOperation RenewalReq

In this section: