Certificate Enrollment using SCEP
[Available from version 1.19] The device supports certificate enrollment using Simple Certificate Enrollment Protocol (SCEP) using Microsoft’s Network Device Enrollment Service (NDES) server, thereby allowing device certificates and CA certificate provisioning to be scaled to multiple devices.
After devices are provisioned with a SCEP-related configuration, they receive a CA certificate from the NDES, issue a Certificate Signing Request (CSR) to the NDES and receive a device certificate signed by the CA certificate (the one that the device received from NDES).
Configure the following three parameters:
| ■ | security/SCEPEnroll/ca_fingerprint |
| ■ | security/SCEPEnroll/password_challenge |
| ■ | security/SCEPServerURL |
The next table shows the descriptions of the SCEP parameters.
|
Parameter |
Description |
|---|---|
|
security/SCEPEnroll/ca_fingerprint |
Define the thumbprint (hash value) for the CA certificate. Default value: NULL. Network admins must set its value to (for example): 3EBE50003ABF1DF5E6B5A3230B02B856 |
|
security/SCEPEnroll/password_challenge |
Define the enrollment challenge password. Default value: NULL. Network admins must set its value to (for example): 7A7F9FC4BB7625F0935E67EA6D6322ED |
|
security/SCEPServerURL |
Define the SCEP server URL. Default: NULL. If you use Microsoft NDES server, use: |
|
security/SCEPEnroll/renewal/advancethreshold |
Define the renewal advance threshold of the device certificate. Configure between 50 and 100 (in units of percentage) Default: 80 This indicates that a renewal of the certificate (device.crt) will be initiated when 80 percent of its validity is reached. |
|
security/SCEPEnroll/rollover/advancethreshold |
Specify the threshold of the CA Root certificate’s validity at which to initiate a renewal. Configure between 50 and 100 (in units of percentage). Default: 90 This indicates a renewal of the certificate (CAROOT.crt.) will be initiated when 90 percent of its validity is reached. |
|
security/CSR/CommonName |
Define a value according to the following 'wildcard' format: {mac} – the device's MAC address {IP} - the device's IP address {model} - the device model |
|
security/CSR/Country |
Define the name of the country used to generate the certificate signing request (CSR). Note: The ISO (International Organization for Standardization) code of the country / region in which the organization is located. |
|
security/CSR/Email |
Optionally, define the email address used to generate the CSR. |
|
security/CSR/Organization |
Optionally, define the legal name of the organization used to generate the CSR. |
|
security/CSR/State |
Optionally, define the name of the state / province used to generate the CSR. |