Venafi Trust Protection Platform 18.2 and prior versions
Venafi Trust Protection Platforms (TPP) has the ability to work as a SCEP server. This feature is referred to as Network Device Enrollment (NDE). This article describes the steps to setup and configure TPP and SSCEP a command line SCEP client to work together.
First, Configure TPP for SCEP:
Configure NDE on TPP side in WebAdmin:
1. Create Password object to use for SCEP requests
2. Go to Platform Tree to configure NDE settings
3. Select Engine or root of Platform tree and go to "Network Device Enrollemnt" > Settings
4. Configure settings:
Enable "SCEP Reply Delay"
Default Challenge Password = Password for requests to use
Default Certificate Container = Where to create cert objects
Default Certificate Authority = What CA Template to use
RA Certificate = Certificate used for Registration Authority (cert that was issued by CA we are going to use)
5. Save settings and restart IIS
Then, Validate it's working:
There are two tools for validating SCEP. The recommended tool is VisualScep, found here along with a PDF showing you how to use it.:
A 3rd party command line tool is called SSCEP, found here
After unpacking this tool on a system that has access to the TPP SCEP server, you can run the following requests to test it, substituting your TPP server in the commands where appropriate:
- Generate a request providing a Common Name and the Challenge Password when prompted by openssl:
openssl.exe req -config scep.cnf -new -key priv.key -out test.csr
- Retrieve the CA and RA certificates from your SECP/NDES:
sscep.exe getca -u http://venafiserver.local/vedscep/ -c ca.crt
- Enroll a new certificate and make sure to specify the correct RA (-c flag) (there may be more than one returned, so validate which is appropriate)
sscep.exe enroll -u http://venafiserver.local/vedscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0
If things work, the certificate is stored in test.crt
What to look at when things aren't working?
- Check the Engine object logs in Platform tree for "Network Device Enrollment" errors or Default SQL Channel logs
- Check to see if the Certificate object got created
- Did creating and retrieving the cert take too long?
- Was there an issue during cert enroliment?
- Are you able to create a cert in the console in that folder with that CA without SCEP?
- Check that the RA Cert is correct
- Check that CA Template has root/intermediate certs configured
- Check SCEP server url and that it is http (not https)
- Double check that challenge password in CSR is correct:
openssl req -in test.csr -noout -text
- Check that the vedscep URL (http://venafiserver.local/vedscep/) works with a browser. It should return "Bad Request...."
- If you keep getting Forbidden and/or 403 errors, check that your service account has been added to the IIS_IUSERS group.
- Check that Code Sign Protect client is not installed on TPP server, if it is..it should not be, remove it.
- If you are seeing this error in the default SQL channel "Network Device Enrollment - HTTP Authentication Failure PKIOperation request failed HTTP authentication. Request received from x.x.x.x" This means that you have restricted authorized users and your SCEP client is not passing/incorrectly passing authentication for this user/group, test by removing and users and restarting IIS.
Another possible resource can be found here:
The above image may be small, so it is also attached.