Simple Certificate Enrollment Protocol Demo/Interop

Interoperate with the Redwax Simple Certificate Enrollment Protocol module.

We have implemented a SCEP endpoint that allows you to test your client implementation against a Redwax Server.

The code being run is the most up to date build from trunk/main in source control, and is built and deployed automatically. The Redwax Interop server is for testing purposes only.

Simple Certificate Enrollment Protocol (SCEP) Demo/Interop Server

When testing your SCEP client implementation, use the following details.

Summary

SCEP Server URL https://interop.redwax.eu/test/simple/scep
SCEP Alternative URL http://interop.redwax.eu/test/simple/scep
Time Source System Clock
Serial Numbers Random

Redwax Module Configuration

The following configuration is used to implement this SCEP server. The configuration below is added to a standard secure virtualhost Apache configuration, as described here.

Configuration

Here we set the SCEP handler, and set the CA certificates and keys to be used for signing.

We also set an RA certificate and key that is used during the SCEP certificate issuing process. This certificate is signed by our CA certificate. 


  LoadModule ca_module /usr/lib64/httpd/modules/mod_ca.so


  LoadModule ca_simple_module /usr/lib64/httpd/modules/mod_ca_simple.so


  LoadModule scep_module /usr/lib64/httpd/modules/mod_scep.so




  CASimpleCertificate /etc/pki/interop/ca-cert.pem
  CASimpleKey /etc/pki/interop/private/ca-key.pem
  CASimpleDays 1
  CASimpleTime on
  CASimpleAlgorithm RSA rsa_keygen_bits=4096
  CASimpleSerialRandom on

  CASimpleExtension basicConstraints CA:FALSE
  CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CASimpleExtension subjectKeyIdentifier hash
  CASimpleExtension authorityKeyIdentifier keyid,issuer




  Require all granted
  SetHandler scep
  ScepRACertificate /etc/pki/interop/scep-ra.cert
  ScepRAKey /etc/pki/interop/private/scep-ra.key
  ScepSubjectRequest O
  ScepSubjectRequest CN
  ScepSubjectRequest C
  ScepSubjectAltNameRequest rfc822Name

]]>

SCEP with Apple MacOS and iOS

Apple's MacOS and iOS operating systems support SCEP via the mobileconfig profile as generated by Apple Configurator.

Mobileconfig

A mobileconfig profile is an XML file that contains a set of configurations for a MacOS or iOS device.

Download the mobileconfig file or cut and paste it below. Open the file from MacOS or from email in iOS or MacOS, and the SCEP client will request a test certificate from the Redwax SCEP server. 




  
    PayloadContent
    
      
        PayloadContent
        
          Challenge
          challenge-password
          Key Type
          RSA
          Key Usage
          5
          Keysize
          2048
          Name
          Redwax-Interop-Demo
          Retries
          3
          RetryDelay
          10
          Subject
          
            
              
                CN
                test-certificate
              
            
          
          SubjectAltName
          
            rfc822Name
            test@example.com
          
          URL
          https://interop.redwax.eu/test/simple/scep
        
        PayloadDescription
        Configures SCEP settings
        PayloadDisplayName
        SCEP
        PayloadIdentifier
        com.apple.security.scep.C32A1326-E5B4-40DA-B8F5-988CABF3A9F4
        PayloadType
        com.apple.security.scep
        PayloadUUID
        C32A1326-E5B4-40DA-B8F5-988CABF3A9F4
        PayloadVersion
        1
      
    
    PayloadDescription
    This profile installs a testing certificate using the SCEP protocol.
    PayloadDisplayName
    Redwax Interop/Demo
    PayloadIdentifier
    Redwax.2BE8586E-E6A6-42A9-BD1D-4C3453CF5B44
    PayloadOrganization
    Redwax Project
    PayloadRemovalDisallowed
    
    PayloadType
    Configuration
    PayloadUUID
    3F2757AB-BE32-45BC-9874-4173C185778D
    PayloadVersion
    1
  

]]>

Profile

Once installed, the profile will look similar to the following.

Screenshot of profile

Certificate

The resulting certificate in the Keychain will look similar to the following.

Screenshot of certificate

SCEP with Mikrotik RouterOS

Mikrotik's Routerboard and RouterOS support a SCEP client, and can request certificates from a Redwax Server.

Command Line

Add a certificate template, followed by a SCEP definition, as follows. 

 /certificate
[admin@router] /certificate> add common-name=test-cn name=test-name                                         
[admin@router] /certificate> add-scep template=test-name
  scep-url=http://interop.redwax.eu/test/simple/scep
]]>

Confirm that the certificate was requested and issued correctly. 

 print detail 
Flags: K - private-key, L - crl, C - smart-card-key, A - authority, 
I - issued, R - revoked, E - expired, T - trusted 
 0 K     T name="test-name" 
           issuer=CN=Redwax Interop Testing Root Certificate Authority 2040,O=Redwax 
       Project 
           digest-algorithm=sha256 key-type=rsa common-name="test-cn" key-size=2048 
           subject-alt-name="" days-valid=2 trusted=yes 
           key-usage=digital-signature,content-commitment,key-encipherment,tls-client 
           scep-url="http://interop.redwax.eu/test/simple/scep" 
           serial-number="80B89D2D99C09CB2" 
           fingerprint="f83f497a11ccaf4e43e7df5838c9687c0b3bf0c0f46959403d4e8e0e8ac54fb5
            " 
           ca-fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c62
               30d" 
           invalid-before=feb/15/2020 00:32:05 invalid-after=feb/17/2020 00:32:05 
           expires-after=23h47m2s challenge-password="" status="idle" 

 1       T name="test-name_CA" 
           issuer=CN=Redwax Interop Testing Root Certificate Authority 2040,O=Redwax 
       Project 
           digest-algorithm=sha1 key-type=rsa organization="Redwax Project" 
           common-name="Redwax Interop Testing Root Certificate Authority 2040" 
           key-size=2048 subject-alt-name="" days-valid=6534 trusted=yes 
           serial-number="6F11B7D855D27D9A14F3B6E9152B60CA8C4BE2AA" 
           fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c6230d
            " 
           invalid-before=feb/11/2020 17:38:56 invalid-after=jan/01/2038 17:38:56 
           expires-after=932w5d16h53m53s 
]]>