Obtaining Certificates Automatically Using SCEP¶
Setting | Default | AWI | OSD | Management Console |
---|---|---|---|---|
SCEP Server URL | ||||
Certificate usage | ||||
Challenge Password | ||||
Issuing CA Certificate | ||||
Client Certificate | ||||
CA Identifier | ||||
Request Certificates (button) | ||||
Status |
You can simplify the retrieval and installation of digital certificates by enabling devices to obtain certificates automatically from a Simple Certificate Enrollment Protocol (SCEP) server. You can obtain certificates for:
-
Administrative Web Interface: Allows you to use SCEP to request a custom certificate for the Administrative Web Interface (AWI).
-
802.1X: Allows you to use SCEP to request a custom certificate to use in your 802.1X configuration.
Enabling 802.1X
Enabling 802.1X also requires enabling 802.1X in the Configuration > Networking page of the OSD or AWI.
SCEP Behaviors¶
The following behaviors are observed when using SCEP to obtain your 802.1X or AWI certificates.
-
A successful SCEP request for a certificate will install the SCEP certificate in the endpoints certificate store.
-
A successful SCEP request for a certificate will no longer store the Root CA certificate in the endpoints certificate store.
-
The OSD and AWI SCEP tab will display the Subject and Issuer names of the SCEP client certificate.
-
Deleting an AWI SCEP certificate will cause it to revert to using the default AWI certificate. A reboot is required.
-
Removing a 802.1X SCEP certificate happens immediately. The endpoint will fail 802.1X authentication on the next connection attempt or on the next automatic polling with the 802.1X switch.
-
Additional successful SCEP requests will overwrite any previously installed SCEP certificates for the same usage.
-
The Tera2 endpoint generates its own 3072-bit SCEP RSA private key when a certificate is requested. This key is used to construct a PKCS#10-formatted certificate request, which is then delivered to the SCEP server.
-
Endpoint SCEP certificate requests include the following parameters:
-
Subject Name: PCoIP Device Name
-
Subject Alt Name: MAC Address, User Principal Name (UPN), and the Fully Qualified Domain Name (FQDN)
-
The following cryptography algorithms are used to generate a Zero Client SCEP request:
-
Content Key Encryption Algorithm: RSAES-OAEP
-
Hash Algorithm: SHA384
-
Content Encryption Algorithm: AES-256-CBC
OSD SCEP page
AWI SCEP page
The following settings display on the OSD and AWI SCEP pages:
SCEP Parameters
Parameter | Description |
---|---|
SCEP Server URL | Enter the URL for the SCEP server that is configured to issue certificates for the device. |
Certificate Usage | There are two options: |
Challenge Password | Enter the password required by the SCEP server |
Issuer CA Certificate | Displays the Issuer CA certificate that signed the client certificate. (The endpoint no longer stores the Root CA certificate) |
Client Certificate | Displays the name of the client certificate that has been installed in the device. |
CA Identifier | A string provided by your CA issuer that uniquely identifies the Certificate Authority when providing certificates for SCEP requests. |
Request Certificates (button) | After entering the SCEP server address, password, certificate usage, and CA Identifier, click this button to retrieve certificates. |
Status | Displays the status of the request (for example, requesting, successful, failed). |
To obtain certificates using SCEP:¶
-
Open the SCEP page:
- From the OSD, select Options > Configuration > SCEP.
- From the AWI, select Configuration > SCEP.
-
Select the Certificate Usage type.
-
Enter the URL and challenge password for the SCEP server.
-
Enter the CA Identifier if required. Provide a valid CA Identifier or use "CAIdentifier" (default).
-
Click Request Certificates to retrieve the certificate. The issuing CA and client certificates display after a successful SCEP request.
The Status section displays the status of the request such as Requesting, Request completed, or Request failed.
To delete your SCEP certificate:¶
-
Browse to the AWI Upload > Certificates page.
-
Click the Remove button beside the certificate you wish to remove.
-
Click Apply and then Continue.