Redwax Server – Simple Certificate Enrollment Protocol Demo/Interop

Simple Certificate Enrollment Protocol Demo/Interop

Interoperate with the Redwax Simple Certificate Enrollment Protocol module.

We have implemented a SCEP endpoint that allows you to test your client implementation against a Redwax Server.

The code being run is the most up to date build from trunk/main in source control, and is built and deployed automatically. The Redwax Interop server is for testing purposes only.

Simple Certificate Enrollment Protocol (SCEP) Demo/Interop Server

When testing your SCEP client implementation, use the following details.

Summary

SCEP Server URL	`https://interop.redwax.eu/test/provider/scep`
SCEP Alternative URL	`http://interop.redwax.eu/test/provider/scep`
Time Source	`System Clock`
Serial Numbers	`Random`

Redwax Module Configuration

The following configuration is used to implement this SCEP server. The configuration below is added to a standard secure virtualhost Apache configuration, as described here.

Configuration

Here we set the SCEP handler, and set the CA certificates and keys to be used for signing.

We also set an RA certificate and key that is used during the SCEP certificate issuing process. This certificate is signed by our CA certificate.

<IfModule !ca_module>
  LoadModule ca_module /usr/lib64/httpd/modules/mod_ca.so
</IfModule>
<IfModule !ca_provider_module>
  LoadModule ca_provider_module /usr/lib64/httpd/modules/mod_ca_provider.so
</IfModule>
<IfModule !ca_simple_module>
  LoadModule ca_simple_module /usr/lib64/httpd/modules/mod_ca_simple.so
</IfModule>
<IfModule !scep_module>
  LoadModule scep_module /usr/lib64/httpd/modules/mod_scep.so
</IfModule>

<Location /test/provider>

  CAProviderCertificate file:/etc/pki/interop/ca-cert.pem
  CAProviderKey file:/etc/pki/interop/private/ca-key.pem
  CAProviderCA file:/etc/pki/interop/ca-cert.pem
  CAProviderDays 1
  CASimpleTime on
  CASimpleAlgorithm RSA rsa_keygen_bits=4096
  CASimpleSerialRandom on

  CAProviderExtension basicConstraints CA:FALSE
  CAProviderExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CAProviderExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CAProviderExtension subjectKeyIdentifier hash
  CAProviderExtension authorityKeyIdentifier keyid,issuer

</Location>

<Location /test/provider/scep>
  Require all granted
  SetHandler scep
  ScepRACertificate /etc/pki/interop/scep-ra.cert
  ScepRAKey /etc/pki/interop/private/scep-ra.key
  ScepSubjectRequest O
  ScepSubjectRequest CN
  ScepSubjectRequest C
  ScepSubjectAltNameRequest rfc822Name
</Location>

SCEP with Apple MacOS and iOS

Apple's MacOS and iOS operating systems support SCEP via the mobileconfig profile as generated by Apple Configurator.

Mobileconfig

A mobileconfig profile is an XML file that contains a set of configurations for a MacOS or iOS device.

Download the mobileconfig file or cut and paste it below. Open the file from MacOS or from email in iOS or MacOS, and the SCEP client will request a test certificate from the Redwax SCEP server.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>PayloadContent</key>
        <dict>
          <key>Challenge</key>
          <string>challenge-password</string>
          <key>Key Type</key>
          <string>RSA</string>
          <key>Key Usage</key>
          <integer>5</integer>
          <key>Keysize</key>
          <integer>2048</integer>
          <key>Name</key>
          <string>Redwax-Interop-Demo</string>
          <key>Retries</key>
          <integer>3</integer>
          <key>RetryDelay</key>
          <integer>10</integer>
          <key>Subject</key>
          <array>
            <array>
              <array>
                <string>CN</string>
                <string>test-certificate</string>
              </array>
            </array>
          </array>
          <key>SubjectAltName</key>
          <dict>
            <key>rfc822Name</key>
            <string>test@example.com</string>
          </dict>
          <key>URL</key>
          <string>https://interop.redwax.eu/test/provider/scep</string>
        </dict>
        <key>PayloadDescription</key>
        <string>Configures SCEP settings</string>
        <key>PayloadDisplayName</key>
        <string>SCEP</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.security.scep.C32A1326-E5B4-40DA-B8F5-988CABF3A9F4</string>
        <key>PayloadType</key>
        <string>com.apple.security.scep</string>
        <key>PayloadUUID</key>
        <string>C32A1326-E5B4-40DA-B8F5-988CABF3A9F4</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </array>
    <key>PayloadDescription</key>
    <string>This profile installs a testing certificate using the SCEP protocol.</string>
    <key>PayloadDisplayName</key>
    <string>Redwax Interop/Demo</string>
    <key>PayloadIdentifier</key>
    <string>Redwax.2BE8586E-E6A6-42A9-BD1D-4C3453CF5B44</string>
    <key>PayloadOrganization</key>
    <string>Redwax Project</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>3F2757AB-BE32-45BC-9874-4173C185778D</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
  </dict>
</plist>

Profile

Once installed, the profile will look similar to the following.

Screenshot of profile

Certificate

The resulting certificate in the Keychain will look similar to the following.

Screenshot of certificate

SCEP with Mikrotik RouterOS

Mikrotik's Routerboard and RouterOS support a SCEP client, and can request certificates from a Redwax Server.

Command Line

Add a certificate template, followed by a SCEP definition, as follows.

[admin@router] /> /certificate
[admin@router] /certificate> add common-name=test-cn name=test-name                                         
[admin@router] /certificate> add-scep template=test-name
  scep-url=http://interop.redwax.eu/test/provider/scep

Confirm that the certificate was requested and issued correctly.

[admin@router] /certificate> print detail 
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted 
 0 K     T name="test-name" digest-algorithm=sha256 trusted=yes common-name="test-cn"
           subject-alt-name=""
           issuer=O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
           key-type=rsa key-size=2048
           key-usage=digital-signature,content-commitment,key-encipherment,tls-client
           days-valid=2 invalid-before=2025-09-11 21:50:53 invalid-after=2025-09-13 21:50:53 
           serial-number="a11be00e09c75666" akid=ed75de35143c4723f1b11ae413438cbbccc22b56
           skid=6c326730c923afd2cf9820e584888e7311f39d8a
           scep-url="http://interop.redwax.eu/test/provider/scep" 
           fingerprint="fd78e944cd7c57fd2d4ced4b887318c8f7914c8c5c5bd05cd486db5ef9c6d346"
           ca-fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c6230d"
           expires-after=11h46m20s  challenge-password="" status="idle" 

 1       T name="test-name_CA" digest-algorithm=sha1 trusted=yes
           common-name="Redwax Interop Testing Root Certificate Authority 2040"
           organization="Redwax Project" subject-alt-name="" 
           issuer=O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
           key-type=rsa key-size=2048 days-valid=7300 invalid-before=2020-02-11 17:38:56
           invalid-after=2040-02-06 17:38:56 
           serial-number="6f11b7d855d27d9a14f3b6e9152b60ca8c4be2aa"
           akid=ed75de35143c4723f1b11ae413438cbbccc22b56
           skid=ed75de35143c4723f1b11ae413438cbbccc22b56 
           fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c6230d"
           expires-after=751w2d7h34m23s