| SCEP Server URL |
https://interop.redwax.eu
|
| SCEP Alternative URL |
http://interop.redwax.eu
|
| Time Source |
System Clock
|
| Serial Numbers |
Random
|
Simple Certificate Enrollment Protocol Demo/Interop
Interoperate with the Redwax Simple Certificate Enrollment Protocol module.
We have implemented a SCEP endpoint that allows you to test your client implementation against a Redwax Server.
The code being run is the most up to date build from trunk/main in source control, and is built and deployed automatically. The Redwax Interop server is for testing purposes only.
Redwax Module Configuration
The following configuration is used to implement this SCEP server. The configuration below is added to a standard secure virtualhost Apache configuration, as described here.
Configuration
Here we set the SCEP handler, and set the CA certificates and keys to be used for signing.
We also set an RA certificate and key that is used during the SCEP certificate issuing process. This certificate is signed by our CA certificate.
<IfModule !ca_module>
LoadModule ca_module /usr/lib64/httpd/modules/mod_ca.so
</IfModule>
<IfModule !ca_provider_module>
LoadModule ca_provider_module /usr/lib64/httpd/modules/mod_ca_provider.so
</IfModule>
<IfModule !ca_simple_module>
LoadModule ca_simple_module /usr/lib64/httpd/modules/mod_ca_simple.so
</IfModule>
<IfModule !scep_module>
LoadModule scep_module /usr/lib64/httpd/modules/mod_scep.so
</IfModule>
<Location /test/provider>
CAProviderCertificate file:/etc/pki/interop/ca-cert.pem
CAProviderKey file:/etc/pki/interop/private/ca-key.pem
CAProviderCA file:/etc/pki/interop/ca-cert.pem
CAProviderDays 1
CASimpleTime on
CASimpleAlgorithm RSA rsa_keygen_bits=4096
CASimpleSerialRandom on
CAProviderExtension basicConstraints CA:FALSE
CAProviderExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
CAProviderExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
CAProviderExtension subjectKeyIdentifier hash
CAProviderExtension authorityKeyIdentifier keyid,issuer
</Location>
<Location /test/provider/scep>
Require all granted
SetHandler scep
ScepRACertificate /etc/pki/interop/scep-ra.cert
ScepRAKey /etc/pki/interop/private/scep-ra.key
ScepSubjectRequest O
ScepSubjectRequest CN
ScepSubjectRequest C
ScepSubjectAltNameRequest rfc822Name
</Location>
SCEP with Apple MacOS and iOS
Apple's MacOS and iOS operating systems support SCEP via the mobileconfig profile as generated by Apple Configurator.
Mobileconfig
A mobileconfig profile is an XML file that contains a set of configurations for a MacOS or iOS device.
Download the mobileconfig file or cut and paste it below. Open the file from MacOS or from email in iOS or MacOS, and the SCEP client will request a test certificate from the Redwax SCEP server.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadContent</key>
<dict>
<key>Challenge</key>
<string>challenge-password</string>
<key>Key Type</key>
<string>RSA</string>
<key>Key Usage</key>
<integer>5</integer>
<key>Keysize</key>
<integer>2048</integer>
<key>Name</key>
<string>Redwax-Interop-Demo</string>
<key>Retries</key>
<integer>3</integer>
<key>RetryDelay</key>
<integer>10</integer>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>test-certificate</string>
</array>
</array>
</array>
<key>SubjectAltName</key>
<dict>
<key>rfc822Name</key>
<string>test@example.com</string>
</dict>
<key>URL</key>
<string>https://interop.redwax.eu/test/provider/scep</string>
</dict>
<key>PayloadDescription</key>
<string>Configures SCEP settings</string>
<key>PayloadDisplayName</key>
<string>SCEP</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.scep.C32A1326-E5B4-40DA-B8F5-988CABF3A9F4</string>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadUUID</key>
<string>C32A1326-E5B4-40DA-B8F5-988CABF3A9F4</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDescription</key>
<string>This profile installs a testing certificate using the SCEP protocol.</string>
<key>PayloadDisplayName</key>
<string>Redwax Interop/Demo</string>
<key>PayloadIdentifier</key>
<string>Redwax.2BE8586E-E6A6-42A9-BD1D-4C3453CF5B44</string>
<key>PayloadOrganization</key>
<string>Redwax Project</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>3F2757AB-BE32-45BC-9874-4173C185778D</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Profile
Once installed, the profile will look similar to the following.
Certificate
The resulting certificate in the Keychain will look similar to the following.
SCEP with Mikrotik RouterOS
Mikrotik's Routerboard and RouterOS support a SCEP client, and can request certificates from a Redwax Server.
Command Line
Add a certificate template, followed by a SCEP definition, as follows.
[admin@router] /> /certificate
[admin@router] /certificate> add common-name=test-cn name=test-name
[admin@router] /certificate> add-scep template=test-name
scep-url=http://interop.redwax.eu/test/provider/scep
Confirm that the certificate was requested and issued correctly.
[admin@router] /certificate> print detail
Flags: K - private-key; L - crl; C - smart-card-key; A - authority; I - issued, R - revoked; E - expired; T - trusted
0 K T name="test-name" digest-algorithm=sha256 trusted=yes common-name="test-cn"
subject-alt-name=""
issuer=O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
key-type=rsa key-size=2048
key-usage=digital-signature,content-commitment,key-encipherment,tls-client
days-valid=2 invalid-before=2025-09-11 21:50:53 invalid-after=2025-09-13 21:50:53
serial-number="a11be00e09c75666" akid=ed75de35143c4723f1b11ae413438cbbccc22b56
skid=6c326730c923afd2cf9820e584888e7311f39d8a
scep-url="http://interop.redwax.eu/test/provider/scep"
fingerprint="fd78e944cd7c57fd2d4ced4b887318c8f7914c8c5c5bd05cd486db5ef9c6d346"
ca-fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c6230d"
expires-after=11h46m20s challenge-password="" status="idle"
1 T name="test-name_CA" digest-algorithm=sha1 trusted=yes
common-name="Redwax Interop Testing Root Certificate Authority 2040"
organization="Redwax Project" subject-alt-name=""
issuer=O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
key-type=rsa key-size=2048 days-valid=7300 invalid-before=2020-02-11 17:38:56
invalid-after=2040-02-06 17:38:56
serial-number="6f11b7d855d27d9a14f3b6e9152b60ca8c4be2aa"
akid=ed75de35143c4723f1b11ae413438cbbccc22b56
skid=ed75de35143c4723f1b11ae413438cbbccc22b56
fingerprint="593685a2b4223e2634a74bc86125808e12c0680283ad6c67b44a6e3305c6230d"
expires-after=751w2d7h34m23s
SCEP with Certmonger
The Certmonger certificate management daemon supports a SCEP client, and can request certificates from a Redwax Server. Certmonger is supported in many Linux distributions.
SCEP over HTTP
Add a SCEP definition and specify where the CA's certificate is to be saved as follows.
root@linux ~]# getcert add-scep-ca --ca=redwax-interop \
--url=http://interop.redwax.eu/test/provider/scep
New CA "redwax-interop" added.
[root@linux ~]# getcert request --ca=redwax-interop \
--keyfile=/etc/pki/tls/private/test-certificate.key \
--certfile=/etc/pki/tls/certs/test-certificate.pem \
--key-usage=dataEncipherment \
--key-usage=digitalSignature ]
--extended-key-usage=id-kp-clientAuth
New signing request "20250914102543" added.
[root@linux ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20250914102543':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/test-certificate.key'
certificate: type=FILE,location='/etc/pki/tls/certs/test-certificate.pem'
signing request thumbprint (MD5): A5D9C7FD DB51FC05 E096DDE1 1B31E6F3
signing request thumbprint (SHA1): F6EEF60A FBF22909 699C1666 3A332E8D 79D24338
CA: redwax-interop
issuer: O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
subject: CN=linux.local
issued: 2025-09-13 11:28:52 BST
expires: 2025-09-15 11:28:52 BST
key usage: digitalSignature,nonRepudiation,keyEncipherment
eku: id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
SCEP over HTTPS
When the SCEP server is hosted on a secure server, the CA certificate for the SCEP server must be provided for the connection to be trusted. This mustn't be confused with the CA certificate that will sign the certificate to be received in the other direction.
root@linux ~]# getcert add-scep-ca --ca=redwax-interop-secure \
--url=https://interop.redwax.eu/test/provider/scep \
--ca-cert=/etc/pki/tls/certs/ca-bundle.crt
New CA "redwax-interop-secure" added.
[root@linux ~]# getcert request --ca=redwax-interop-secure \
--keyfile=/etc/pki/tls/private/test-certificate-secure.key \
--certfile=/etc/pki/tls/certs/test-certificate-secure.pem \
--key-usage=dataEncipherment --key-usage=digitalSignature \
--extended-key-usage=id-kp-clientAuth
New signing request "20250914105556" added.
[root@linux ~]# getcert list
Number of certificates and requests being tracked: 1.
Request ID '20250914105556':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/etc/pki/tls/private/test-certificate-secure.key'
certificate: type=FILE,location='/etc/pki/tls/certs/test-certificate-secure.pem'
signing request thumbprint (MD5): 4A2180D8 C65A38FB 43120F65 AB3FC3F5
signing request thumbprint (SHA1): 2B78ABFF 0A224BD0 6B574EBA E156FF64 75D18A56
CA: redwax-interop-secure
issuer: O=Redwax Project,CN=Redwax Interop Testing Root Certificate Authority 2040
subject: CN=linux.local
issued: 2025-09-13 12:09:59 BST
expires: 2025-09-15 12:09:59 BST
key usage: digitalSignature,nonRepudiation,keyEncipherment
eku: id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes