Configuring SCEP Responder - dogtagpki/pki GitHub Wiki
This page describes the process to configure SCEP responder in CA.
For older versions see:
The profile used by the SCEP responder is configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
profile.list=...,caRouterCert,... profile.caRouterCert.class_id=caEnrollImpl profile.caRouterCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg
By default it uses the caRouterCert
profile in /var/lib/pki/pki-tomcat/ca/profiles/ca/caRouterCert.cfg:
auth.instance_id=flatFileAuth
Disable deferOnFailure
in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
auths.instance.flatFileAuth.deferOnFailure=false
Edit /var/lib/pki/pki-tomcat/ca/conf/flatfile.txt
to enter the client’s IP address and password:
UID:<IP address> PWD:<password> UID:<IP address> PWD:<password> ...
Note: the <IP address> can be either ipv4 or ipv6. It is important to use the one identifying the client connection. This is related to the server host and DNS configuration.
The SCEP configuration is stored in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
ca.scep.enable=false ca.scep.hashAlgorithm=SHA256 ca.scep.allowedHashAlgorithms=SHA256,SHA512 ca.scep.encryptionAlgorithm=DES3 ca.scep.allowedEncryptionAlgorithms=DES3 ca.scep.nonceSizeLimit=16
To enable the SCEP responder:
ca.scep.enable=true
Then restart the server:
$ systemctl restart [email protected]
The client can access the SCEP responder at http://pki.example.com:8080/ca/cgi-bin/pkiclient.exe.
In PKI 10.11 or later the SCEP responder allows the client to specify the profile to be used for issuing the certificate.
The list of allowed profiles can be configured in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
:
ca.scep.allowedDynamicProfileIds=<comma-separated list of profiles>
The client can access the SCEP responder at http://pki.example.com:8080/ca/scep/<profile>/pkiclient.exe.