<<<<<<< .mine # AA basic configuration for SCEP issuing. # # 0. Set up some directories; The directory cert needs to be server writable. # # mkdir ca ra cert # chown www:www cert # # AA basic configuration for SCEP issuing. # # 0. Set up some directories; The directory cert needs to be server writable. # # mkdir ca ra issued_certs # chown www:www issued_certs # # 1. Generate a CA with an issuing RA # # openssl req -new -x509 -subj /CN=ca-test-scep -out ca/ca-cert.pem -keyout ca/ca-key.pem -nodes # # echo "[ra]" > config.cnf # echo "keyUsage=digitalSignature,keyEncipherment" >> config.cnf # # openssl req -new -subj /CN=ra-test-scep -keyout ra/ra-key.pem -nodes |\ # openssl x509 -req \ # -CAkey ca/ca-key.pem -CA ca/ca-cert.pem \ # -out ra/ra-cert.pem \ # -extfile config.cnf -extensions ra # # 2. Load the right modules into httpd.conf # LoadModule ca_module libexec/apache24/mod_ca.so LoadModule scep_module libexec/apache24/mod_scep.so LoadModule ca_simple_module libexec/apache24/mod_ca_simple.so LoadModule ca_disk_module libexec/apache24/mod_ca_disk.so # Configure a URL (in this case - /scep). We're not setting any # access restricitons - anyone can ask for anything. # SetHandler scep ScepRACertificate /opt/local/etc/pki/ra/ra-cert.pem ScepRAKey /opt/local/etc/pki/ra/ra-key.pem ScepSubjectRequest O ScepSubjectRequest countryName ScepSubjectRequest stateOrProvinceName ScepSubjectRequest commonName ScepSubjectSet OU "Test Certificate" CASimpleCertificate /opt/local/etc/pki/ca/ca-cert.pem CASimpleKey /opt/local/etc/pki/ca/ca-key.pem CASimpleSerialRandom on CASimpleTime on CADiskCertificateSignRequestPath /opt/local/etc/pki/certs/ CADiskCertificateByTransactionPath /opt/local/etc/pki/certs/ Add below to above blocka more elaborate setup that limits/constraints things a bit more: LogLevel Debug ScepSubjectRequest O ScepSubjectRequest countryName ScepSubjectRequest stateOrProvinceName ScepSubjectRequest commonName ScepSubjectSet OU "Test Certificate" ScepSubjectSet O "My company" ScepSubjectSet L "Town" ScepSubjectSet C "EU" # # Allow up to 20 of any type ScepSubjectAltNameRequest * 20 ScepSubjectRequest * 20 # CASimpleExtension basicConstraints CA:FALSE CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment # clientAuth - Indicates that a certificate can be used as a Secure Sockets Layer (SSL) client certificate # emailProtection - Indicates that a certificate can be used for protecting email (signing, encryption, key agreement) # ipsecUser - IPSEC User Certificate # secureShellClient - id-kp-secureShellClient (indicates that the key can be used for a Secure Shell client) # CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.21,OID:1.3.6.1.5.5.7.3.7,OID:1.3.6.1.5.5.7.3.4,OID:1.3.6.1.5.5.7.3.2 CASimpleExtension subjectKeyIdentifier hash CASimpleExtension authorityKeyIdentifier keyid,issuer