Enrolling Certificates using SCEP
The device supports certificate enrollment using Simple Certificate Enrollment Protocol (SCEP) using Microsoft’s Network Device Enrollment Service (NDES) server without using AudioCodes' OVOC, thereby allowing device certificates and CA certificate provisioning to be scaled to multiple devices.
After devices are provisioned with a SCEP-related configuration, they receive a CA certificate from the NDES (via the parameter ‘security/ca_certificate/0/uri’). They then issue a Certificate Signing Request (CSR) to the NDES and receive a device certificate signed by the received CA certificate.
Network administrators must configure the following three parameters:
| ■ | security/SCEPEnroll/ca_fingerprint |
| ■ | security/SCEPEnroll/password_challenge |
| ■ | security/SCEPServerURL |
The following table shows the SCEP parameter descriptions.
|
Parameter |
Description |
|---|---|
|
security/SCEPEnroll/ca_fingerprint |
Define the thumbprint (hash value) for the CA certificate. Default value: NULL Network admins must set its value as in the following example: 3EBE50003ABF1DF5E6B5A3230B02B856 |
|
security/SCEPEnroll/password_challenge |
Define the enrollment challenge password. Default value: NULL Network admins must set its value as in the following example: 7A7F9FC4BB7625F0935E67EA6D6322ED |
|
security/SCEPServerURL |
Define the NDES server’s URL. Default: NULL Network admins must set its value as in the following example: https://ndes_derver |
|
security/SCEPEnroll/renewal/advancethreshold |
Define the renewal advance threshold of the device certificate. Configure between 50 and 100 (in units of percentage). Default: 80 The default value indicates that a renewal of the certificate (device.crt) will be initiated when 80 percent of its validity is reached. |
|
security/SCEPEnroll/rollover/advancethreshold |
Specify the threshold of the CA Root certificate’s validity at which to initiate a renewal. Configure between 50 and 100 (in units of percentage). Default: 90 The default value indicates a renewal of the certificate (CAROOT.crt.) will be initiated when 90 percent of its validity is reached. |