Obtaining Digital Certificates through SCEP
You can use SCEP to help manage how you obtain digital certificates, or you can manually add certificates.
For information about manually obtaining certificates, see Manually Obtaining Digital Certificates.
To add a signed certificate that you obtain through SCEP:
- Request a CA certificate through SCEP.
user@host>request security get-ca-certificate url
url
ca_identifier
ca_identifier
url
is the URL of the certificate authority (which is the SCEP server).ca-identifier
is the identifier that designates the authority.For example, to request a certificate from the CA authority SdxCA at a specified URL on the server security_server:
user@host>request security get-ca-certificate url http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe ca-identifier SdxCA
Version: 3Serial Number: 5721058705923989279Signature Algorithm: SHA1withRSAIssuer: CN=SdxCAValid From: Wed Sep 06 17:00:55 EDT 2006Valid Until: Sat Sep 03 17:10:55 EDT 2016Subject: CN=SdxCAPublic key: RSAThumbprint Algorithm: SHA1Thumbprint: 3c 57 a9 77 af 83 3 e9 c7 1e ee e2 4a e8 ff f3 89 f4 11 a9Do you want to add the above certificate as a trusted CA [yes,no] ? (no) y
- Request that the certificate authority automatically sign the certificate request.
user@host>request security enroll subject
subject
password
password
subject
is the distinguished name of the SRC host; for examplecn=myhost
.password
is the password received from the certificate authority for the specified subject.For example, to request a certificate from the CA authority SdxCA at a specified URL on the server security_server:
user@host>request security enroll url http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe identifier web ca-identifier SdxCA subject cn=myhost password mypassword
Received certificate:Version: 3Serial Number: 6822890691617224432Signature Algorithm: SHA1withRSAIssuer: CN=SdxCAValid From: Tue Sep 19 16:33:11 EDT 2006Valid Until: Thu Sep 18 16:43:11 EDT 2008Subject: CN=myhostPublic key: RSADo you want to install the above certificate [yes,no] ? (no) y
- Verify that the certificate is part of the SRC configuration.
user@host>show security certificate
web subject:CN=myhostIf there are no certificates on the system, the CLI displays the following message:
No entity certificates in key store