cheatsheet:scep

How to get certificate using SCEP protocol

Install dependencies 

sudo apt install libnss3-tools certmonger

Add a SCEP CA 

sudo getcert add-scep-ca -c CA_IDENTIFIER -u SCEP_URL -R CA_PEM_FORMAT

List CA 

sudo getcert list-cas

if the CA setup worked, you should have something like 

CA 'CA_IDENTIFIER:
  is-default: no
  ca-type: EXTERNAL
  helper-location: /usr/lib/certmonger/scep-submit -u SCEP_URL -R CA_PEM_FORMAT
  SCEP CA certificate thumbprint (MD5): FINGERPRINT
  SCEP CA certificate thumbprint (SHA1): FINGERPRINT

if the SCEP CA thumbprint lines are missing, it means the CA is not correctly installed

Then you can request a certificate running 

sudo getcert request -I CERT_IDENTIFIER -c CA_IDENTIFIER -d PATH_TO_NSSDB -n NICKNAME -N cn=CN -v -L PIN

Check the cert run 

sudo getcert list

If it failed it shows error like 

Number of certificates and requests being tracked: 1.
Request ID 'CERT_IDENTIFIER':
  status: CA_UNREACHABLE
  ca-error: Error: failed to verify signature on server response.
  stuck: no
  key pair storage: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME',token='NSS Certificate DB'
  certificate: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME'
  signing request thumbprint (MD5): 99E8F925 2CB2C885 B29AFAA7 DD7CC766
  signing request thumbprint (SHA1): F94B1A05 39293B65 71F74ABC 35BE85C2 A0A6D1F5
  CA: CA_IDENTIFIER
  issuer: 
  subject: 
  expires: unknown
  pre-save command: 
  post-save command: 
  track: yes
  auto-renew: yes

If it succeed, should look like 

Number of certificates and requests being tracked: 1.
Request ID 'datadog_wifido_cert':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='PATH_TO_NSSDB',nickname='NICKNAME',token='NSS Certificate DB'
	certificate: type=NSSDB,location='/home/gaetan/.pki/nssdb',nickname='NICKNAME'
	signing request thumbprint (MD5): 94F69776 FCA95B4B 5C2DD645 A2DDD8C0
	signing request thumbprint (SHA1): 86B3D4B9 87718EC1 5D74AFF4 A1FE1EC9 44356479
	CA: CA_IDENTIFIER
	issuer: 
	subject: 
	expires: unknown
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

To remove a cert request 

sudo getcert stop-tracking -i CERT_IDENTIFIER

To remove the CA 

sudo getcert remove-ca -c CA_IDENTIFIER
  • cheatsheet/scep.txt
  • Last modified: 2024/10/14 20:59
  • by 127.0.0.1