Venafi Trust Protection Platforms (TPP) has the ability to work as a SCEP server. This feature is referred to as Network Device Enrollment (NDE). This article describes the steps to setup and configure TPP and SSCEP a command line SCEP client to work together.
Configure NDE on TPP side in WebAdmin:
1. Create Password object to use for SCEP requests
2. Go to Platform Tree to configure NDE settings
3. Select Engine or root of Platform tree and go to "Network Device Enrollemnt" > Settings
4. Configure settings:
Enable "SCEP Reply Delay"
Default Challenge Password = Password for requests to use
Default Certificate Container = Where to create cert objects
Default Certificate Authority = What CA Template to use
RA Certificate = Certificate used for Registration Authority (cert that was issued by CA we are going to use)
5. Save settings and restart IIS
Use SSCEP to test NDE
1. Unzip SSCEP (found here: http://secadmins.com/index.php/ndes-scep-windows-test-tool/)
2. Generate a certificate request providing a Common Name and the Challenge Password when prompted by openssl:
openssl.exe req -config scep.cnf -new -key priv.key -out test.csr
3. Retrieve the CA and RA certificates from your SECP/NDES:
sscep.exe getca -u http://venafiserver.local/vedscep/ -c ca.crt
4. Enroll a new certificate and make sure to specify the correct RA (-c flag)
sscep.exe enroll -u http://venafiserver.local/vedscep/ -k priv.key -r test.csr -l test.crt -c ca.crt-0
5. If things work, certficate is stored in test.crt
What to look at when things aren't working?
1. Check the Engine object logs in Platform tree for "Network Device Enrolment" errors
2. Check to see if the Certificate object got created
- Did creating and retrieving the cert take too long?
- Was there an issue during cert enrolment?
3. Check that the RA Cert is correct
4. Check that CA Template has root/intermediate certs configured
5. Check SCEP server url and that it is http
6. Double check that challenge password in CSR is correct:
openssl req -in test.csr -noout -text
7. Check that the vedscep URL (http://venafiserver.local/vedscep/) works with a browser. It should return "Bad Request"
Other scep related resources:
SSCEP source code - https://github.com/certnanny/sscep
NDES/SCEP Windows Test Tool - http://secadmins.com/index.php/ndes-scep-windows-test-tool/