SCEP Authorities
This section details how to configure SCEP Authorities.
The draft-nourse-scep-23 as well as RFC 8894 define how SCEP communications are secured. This involves using a SCEP Authority, which is a certificate and its associated private key, used to sign and encrypt communications between SCEP server and client.
Two setups are possible:
-
the CA mode in which the SCEP Authority is a self-signed certificate. In that mode the SCEP server returns the self-signed certificate as
application/x-x509-ca-certwhen the client uses theGetCaCertcall. -
the RA mode in which the SCEP Authority is a certificate signed by the CA that will issue certificates using the considered SCEP profile. In that mode, the SCEP server returns the SCEP Authority certificate and its issuing CA chain as
application/x-x509-ca-ra-certwhen the client uses theGetCaCertcall.
Therefore, it is important in each SCEP or MDM Profile to align the SCEP mode with the characteristics of the SCEP Authority configured in the current section.
Prerequisites
-
PKCS#12 containing the SCEP Authority certificate and private key. See above for explanation about the SCEP contents.
How to configure a SCEP Authority
SCEP Authorities are configured as credentials.