Skip to main content
Skip table of contents

SCEP Operations Guide

This describes operations using SCEP with EJBCA.

For an overview of EJBCA capabilities with SCEP, see the SCEP overview

Configuring SCEP 

The SCEP URL is http://HOST:PORT/ejbca/publicweb/apply/scep/ALIAS/pkiclient.exe.

The URL contains a reference to a configuration alias 'ALIAS'. 'ALIAS' is an alphanumeric string that refers to the set of SCEP configurations that should be used when handling the SCEP request coming through this URL. It is possible to configure as many configuration aliases as desired using the command line or the CA UI.

Creating a SCEP alias with the name scep makes it available using the default URL (the same URL as in previous versions), http://HOST:PORT/ejbca/publicweb/apply/scep/pkiclient.exe.

Configuring SCEP in the CA UI 

To configure SCEP using the CA UI, select System Configuration → SCEP Configuration.

Note that you need /edit_systemconfiguration access to be able to edit the SCEP configuration. For more information, see Access Rules.

Configuring SCEP on the  Command Line Interface

For information on creating and configuring the SCEP aliases using the command line, run the following command from the EJBCA home directory.

Creating a SCEP alias with the name scep makes it available using the default URL (the same URL as in previous versions), http://HOST:PORT/ejbca/publicweb/apply/scep/pkiclient.exe.

BASH
$ bin/ejbca.sh config scep

Alias Properties

In CA Mode, EJBCA expects end entities to be manually created and for the SCEP client to merely enroll for certificates. 

CA Mode

Properties

The following lists available properties.

PropertyDescription
Include CA certificate in responseSet to true for the CA certificate to be transmitted back as a part of the response.
Allow legacy digest algorithms in responseSet to true to allow SHA1 and MD5 to be used in the response. If not set, defaults to SHA256.
Allow Client Certificate Renewal (Enterprise Edition):Set to true in order to perform client certificate renewal, where an enrollment request which comes in at half the certificate's validity will automatically result in a new certificate being issued.
Allow Client Certificate Renewal using old key (Enterprise Edition):Set to true in order to allow client certificate renewal to be performed on existing keys. 

RA Mode

ENTERPRISE

In RA Mode, EJBCA does not require the end entity to be enrolled but will instead create it as a part of the issuance process.

Properties

The following lists available properties.

PropertyDescription
Include CA certificate in responseSet to true for the CA certificate to be transmitted back as a part of the response.
Allow legacy digest algorithms in responseSet to true to allow SHA1 and MD5 to be used in responses. If not set, defaults to SHA256.

Authenticate through Microsoft Intune 

Validates SCEP requests with Microsoft Intune, see SCEP Operations Guide#RA Mode with Microsoft Intune Support
RA End Entity ProfileThe end entity profile to use for the enrolled end entity.
RA Certificate ProfileThe certificate profile to use for the enrolled end entity.
RA CA NameThe CA to enroll the end entity under.
RA authentication passwordAn authentication password to require in the request.
RA name generation schemeHow to generate the end entity username. 
RA name generation parametersWhat to base the end entity username off of. It can be a part of the DN, the complete Subject DN, randomized or fixed.
RA name generation prefixA general prefix to prepend on end entity usernames.
RA name generation postfixA general postfix to append on end entity usernames.

RA Mode with Microsoft Intune Support

ENTERPRISE

While in RA Mode, EJBCA can also use Microsoft Intune to validate SCEP requests. Enabling the option Authenticate through Microsoft Intune adds Intune specific configuration properties. As you can see in the example configuration below, selecting to authenticate through Intune disables the RA authentication password field, since the password is checked with Intune instead.

Properties

NameDescription
Azure Active Directory Auth URL

Azure Active Directory Authentication URL is for issuing the login token. This value must be specified if using EJBCA in another Azure cloud such as US Federal or another region. If no value is specified the default value is used: https://login.microsoftonline.com/

(warning) The URL must have a forward slash / at the end of the URL.

Application ID from AzureApplication ID obtained by creating a new Application Registration. See Configure Intune for steps to obtain the Application ID.
Application API Secret from Azure

API secret obtained by creating a secret in the application that was registered. See Configure Intune for steps to obtain the API secret.

(warning) The auto-generated password may contain a ~ character. EJBCA does not support passwords with this character. Please regenerate the password so it does not contain the ~ character. 

Intune TenantThe Intune Tenant is the domain name of the user account used to login to Microsoft Azure.  If the account domain name is admin@primekey.com the Intune tenant would be primekey.com.
Intune resource URL

This is used to specify the token audience in Azure. This value must be specified if using EJBCA in another Azure cloud such as US Federal or another region. If no value is specified the default value is used: https://api.manage.microsoft.com/

(warning) The URL must have a forward slash / at the end of the URL.

Specific version of graphThe version of the Microsoft Graph API. This value defaults to version 1.0 if the value is not specified.
Graph resource URL

The URL to specify auto discovery for Intune. This value must be specified if using EJBCA in another Azure cloud such as US Federal or another region. If no value is specified, the default value is used: https://graph.windows.net/

(warning) The URL must have a forward slash / at the end of the URL.

EJBCA Proxy HostThe host that the proxy is hosted on that clients point to for Internet access.
EJBCA Proxy PortThe port number of the proxy that clients point to for Internet access.
EJBCA Proxy UserThe username of the account used to login to the proxy if the proxy is configured for basic authentication.
EJBCA Proxy PasswordThe password of the account used to login to the proxy if the proxy is configured for basic authentication.

Sample Client Messages

While many SCEP clients exist (as listed on the SCEP overview page), many use cases require writing custom clients. Using the BouncyCastle crypto libraries, we've produced some sample implementations in Java if you need some help in getting going. For more information, see SCEP Client Support.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.