====== How to get certificate using SCEP protocol ======
Install dependencies
<code>
sudo apt install libnss3-tools certmonger
</code>
Add a SCEP CA
<code>
sudo getcert add-scep-ca -c CA_IDENTIFIER -u SCEP_URL -R CA_PEM_FORMAT
</code>
List CA 
<code>
sudo getcert list-cas
</code>
if the CA setup worked, you should have something like
<code>
CA 'CA_IDENTIFIER:
  is-default: no
  ca-type: EXTERNAL
  helper-location: /usr/lib/certmonger/scep-submit -u SCEP_URL -R CA_PEM_FORMAT
  SCEP CA certificate thumbprint (MD5): FINGERPRINT
  SCEP CA certificate thumbprint (SHA1): FINGERPRINT
</code>
if the SCEP CA thumbprint lines are missing, it means the CA is not correctly installed

Then you can request a certificate running
<code>
sudo getcert request -I CERT_IDENTIFIER -c CA_IDENTIFIER -d PATH_TO_NSSDB -n NICKNAME -N cn=CN -v -L PIN
</code>
Check the cert run
<code>
sudo getcert list
</code>
If it failed it shows error like
<code>
Number of certificates and requests being tracked: 1.
Request ID 'CERT_IDENTIFIER':
  status: CA_UNREACHABLE
  ca-error: Error: failed to verify signature on server response.
  stuck: no
  key pair storage: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME',token='NSS Certificate DB'
  certificate: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME'
  signing request thumbprint (MD5): 99E8F925 2CB2C885 B29AFAA7 DD7CC766
  signing request thumbprint (SHA1): F94B1A05 39293B65 71F74ABC 35BE85C2 A0A6D1F5
  CA: CA_IDENTIFIER
  issuer: 
  subject: 
  expires: unknown
  pre-save command: 
  post-save command: 
  track: yes
  auto-renew: yes
</code>
If it succeed, should look like 
<code>
Number of certificates and requests being tracked: 1.
Request ID 'datadog_wifido_cert':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/home/gaetan/.pki/nssdb',nickname='NICKNAME'
	signing request thumbprint (MD5): 94F69776 FCA95B4B 5C2DD645 A2DDD8C0
	signing request thumbprint (SHA1): 86B3D4B9 87718EC1 5D74AFF4 A1FE1EC9 44356479
	CA: CA_IDENTIFIER
	issuer: 
	subject: 
	expires: unknown
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
</code>
To remove a cert request
<code>
sudo getcert stop-tracking -i CERT_IDENTIFIER
</code>
To remove the CA 
<code>
sudo getcert remove-ca -c CA_IDENTIFIER
</code>