Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== How to get certificate using SCEP protocol ====== Install dependencies <code> sudo apt install libnss3-tools certmonger </code> Add a SCEP CA <code> sudo getcert add-scep-ca -c CA_IDENTIFIER -u SCEP_URL -R CA_PEM_FORMAT </code> List CA <code> sudo getcert list-cas </code> if the CA setup worked, you should have something like <code> CA 'CA_IDENTIFIER: is-default: no ca-type: EXTERNAL helper-location: /usr/lib/certmonger/scep-submit -u SCEP_URL -R CA_PEM_FORMAT SCEP CA certificate thumbprint (MD5): FINGERPRINT SCEP CA certificate thumbprint (SHA1): FINGERPRINT </code> if the SCEP CA thumbprint lines are missing, it means the CA is not correctly installed Then you can request a certificate running <code> sudo getcert request -I CERT_IDENTIFIER -c CA_IDENTIFIER -d PATH_TO_NSSDB -n NICKNAME -N cn=CN -v -L PIN </code> Check the cert run <code> sudo getcert list </code> If it failed it shows error like <code> Number of certificates and requests being tracked: 1. Request ID 'CERT_IDENTIFIER': status: CA_UNREACHABLE ca-error: Error: failed to verify signature on server response. stuck: no key pair storage: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME',token='NSS Certificate DB' certificate: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME' signing request thumbprint (MD5): 99E8F925 2CB2C885 B29AFAA7 DD7CC766 signing request thumbprint (SHA1): F94B1A05 39293B65 71F74ABC 35BE85C2 A0A6D1F5 CA: CA_IDENTIFIER issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes </code> If it succeed, should look like <code> Number of certificates and requests being tracked: 1. Request ID 'datadog_wifido_cert': status: MONITORING stuck: no key pair storage: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME',token='NSS Certificate DB' certificate: type=NSSDB,location='/home/gaetan/.pki/nssdb',nickname='NICKNAME' signing request thumbprint (MD5): 94F69776 FCA95B4B 5C2DD645 A2DDD8C0 signing request thumbprint (SHA1): 86B3D4B9 87718EC1 5D74AFF4 A1FE1EC9 44356479 CA: CA_IDENTIFIER issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes </code> To remove a cert request <code> sudo getcert stop-tracking -i CERT_IDENTIFIER </code> To remove the CA <code> sudo getcert remove-ca -c CA_IDENTIFIER </code> cheatsheet/scep.txt Last modified: 2024/10/14 20:59by 127.0.0.1