How to configure SCEP with IGEL OS
This Article is still valid for the mosts parts but a bit old. A fresh Article can be found here: https://www.igelexperts.com/?s=scep
The Simple Certificate Enrollment Protocol (SCEP) (IETF draft) defines a way of automatically enrolling the certificates used, e.g. for the authentication of network devices or VPNs. The client uses HTTP requests to fetch root certificates, to send certificate requests, and to fetch client certificates from the server.
SCEP Environment, for example MS NDES
Step 2 – Enter Certificate Signage Request Information (CSR):
Important 1: If you want to use the devices dns name (mostly used), use DNS Name (auto)
Important 2: RSA Key Length has to match minimum Key Length, configured on the Server
Step 3 – CA Details
This step is optionally for testing but mandatory for productive!
Important: The Fingerprint has to be in MD5
Customer reported Identifier was for him: “FQDN of your CA”
You can get the Fingerprint here: https://<ServerName>/certsrv/mscep_admin
Step 4 – Configure SCEP Server
On a Windows 2008 server this is http:///certsrv/mscep/mscep.dll by default.
You will find the Challenge Password on the Windows 2008 SCEP server under https:///certsev/mscep_admin by default.
For testing you can configure the Server without a challenge password.
The Challenge password is only needed for the first CSR.
How to handle the Challenge Password?
Most customers, I have seen generate a password, lasting for up to 4 hours during the roll out process. The Challenge PW will be generated by the Roll-out Administrator. This will be configured into the profile and the roll out begins. After the roll out is done, the pw will not be used again, the renewal will be done with the certificate.