Follow

How To: Configure SCEP - Cisco IOS

Through the NDES configuration Venafi Trust Protection Platform can receive scep requests from many different network connected devices. To assure you are ready make sure you have done the pre requisite steps from the SCEP/NDES configuration in the documentation found here: 

https://docs.venafi.com/Docs/current/TopNav/Content/Devices/t-devices-NDE-server-support-configuring.php


Once the TPP Platform is configured for SCEP requests you can test it by hitting one of your web servers scep url https://serverurl/vedscep if you can hit this in your environment and it shows ready then you are ready to test the request either with ssceptoolbox which is a 3rd party tool that can run on windows for scep requests http://secadmins.com/index.php/ndes-scep-windows-test-tool/ . Or use Venafi Visual SCEP tool from the support ecosystem https://support.venafi.com/hc/en-us/articles/115002868072-VisualScep-Utility.

SUMMARY STEPS for configuring the cisco device to make the request

  1. enable
  2. configure terminal
  3. crypto pki trustpoint name
  4. enrollment selfsigned
  5. subject-name [x.500-name ]
  6. rsakeypair key-label [key-size [encryption-key-size]]
  7. crypto pki enroll name
  8. end
  9. show crypto pki certificates [trustpoint-name [verbose ]]
  10. show crypto pki trustpoints [status | label [status ]]

Figure 1: State Transition Diagram

The certificate issue process starts at state CERT-NONEXISTENT. Sending a PKCSReq/RenewalReq message changes the state to CERT-REQ-PENDING.

If the CA returns a CertRep message with pkiStatus set to SUCCESS then the state changes to CERT-ISSUED.

If the CA returns a CertRep message with pkiStatus set to FAILURE or there is no response then the state reverts back to CERT-NONEXISTENT.

If the CA returns a CertRep message with pkiStatus set to PENDING then the client will keep polling by sending a CertPoll message until either a CertRep message with status set to SUCCESS or FAILURE is received or a timeout occurs or the maximum number of polls has been exceeded.

A successful transaction in automatic mode:

    CLIENT                              CA SERVER

PKCSReq: PKI cert. enrolment message
--------------------------------> CertRep: pkiStatus = SUCCESS
                                  Certificate attached
                                  <------------------------------
Receive issued certificate.

			

A successful transaction in manual mode:

    CLIENT                              CA SERVER

PKCSReq: PKI cert. enrolment message
--------------------------------> CertRep: pkiStatus = PENDING
                                  <------------------------------
CertPoll: Polling message
--------------------------------> CertRep: pkiStatus = PENDING
                                  <------------------------------
................ <Manual identity authentication> ...............

CertPoll: Polling message
--------------------------------> CertRep: pkiStatus = SUCCESS
                                  Certificate attached
                                  <------------------------------
Receive issued certificate.

			

A certificate query message is defined for clients to retrieve a copy of their own certificate from the CA. It allows clients that do not store their certificates locally to obtain a copy when needed. This functionality is not intended to provide a general purpose certificate access service, which may be achieved via HTTP certificate-store access or LDAP.

To query a certificate from the CA, a client sends a request consisting of the certificate's issuer name and serial number. This assumes that the client has saved the issuer name and the serial number of the issued certificate from the previous enrolment transaction. The transaction to query a certificate consists of one GetCert (Section 3.3.4) message and one CertRep (Section 3.3.2) message, as shown below.

   CLIENT                               CA SERVER

GetCert: PKI certificate query message
-------------------------------> CertRep: pkiStatus = SUCCESS
                                 Certificate attached
                                 <-----------------------------
Receive the certificate.


 

 

Supporting Articles for scep tech sheet and cisco pki deployment:

https://tools.ietf.org/id/draft-gutmann-scep-09.html

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cert-enroll-pki.html

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments