SCEP Authorities

This section details how to configure SCEP Authorities.

The draft-nourse-scep-23 as well as RFC 8894 define how SCEP communications are secured. This involves using a SCEP Authority, which is a certificate and its associated private key, used to sign and encrypt communications between SCEP server and client.

Two setups are possible:

the CA mode in which the SCEP Authority is a self-signed certificate. In that mode the SCEP server returns the self-signed certificate as application/x-x509-ca-cert when the client uses the GetCaCert call.
the RA mode in which the SCEP Authority is a certificate signed by the CA that will issue certificates using the considered SCEP profile. In that mode, the SCEP server returns the SCEP Authority certificate and its issuing CA chain as application/x-x509-ca-ra-cert when the client uses the GetCaCert call.

Therefore, it is important in each SCEP or MDM Profile to align the SCEP mode with the characteristics of the SCEP Authority configured in the current section.

Prerequisites

PKCS#12 containing the SCEP Authority certificate and private key. See above for explanation about the SCEP contents.

How to configure a SCEP Authority

1. Log in to Horizon Administration Interface.

2. Access SCEP Authorities from the drawer or card: System > SCEP Authorities.

3. Click on Add SCEP Authority .

4. Fill the following fields:

Name* (string input):
Enter a meaningful SCEP Authority name;
PKCS#12* (import p12):
PKCS#12 of the SCEP Authority;
PKCS#12 Password* (string input):
Password of the aforementioned PKCS#12.

5. Click on the create button to save.

You can update Edit SCEP Authority or delete Delete SCEP Authority the SCEP Authority.

You won’t be able to delete a SCEP Authority if it is referenced in any other configuration element.