Obtaining Certificates Automatically Using SCEP

Setting Default AWI OSD Management Console
SCEP Server URL
Certificate usage
Challenge Password
Issuing CA Certificate
Client Certificate
CA Identifier
Request Certificates (button)
Status

You can simplify the retrieval and installation of digital certificates by enabling devices to obtain certificates automatically from a Simple Certificate Enrollment Protocol (SCEP) server. You can obtain certificates for:

  • Administrative Web Interface: Allows you to use SCEP to request a custom certificate for the Administrative Web Interface (AWI).

  • 802.1X: Allows you to use SCEP to request a custom certificate to use in your 802.1X configuration.

    Enabling 802.1X

    Enabling 802.1X also requires enabling 802.1X in the Configuration > Networking page of the OSD or AWI.

SCEP Behaviors

The following behaviors are observed when using SCEP to obtain your 802.1X or AWI certificates.

  • A successful SCEP request for a certificate will install the SCEP certificate in the endpoints certificate store.

  • A successful SCEP request for a certificate will no longer store the Root CA certificate in the endpoints certificate store.

  • The OSD and AWI SCEP tab will display the Subject and Issuer names of the SCEP client certificate.

  • Deleting an AWI SCEP certificate will cause it to revert to using the default AWI certificate. A reboot is required.

  • Removing a 802.1X SCEP certificate happens immediately. The endpoint will fail 802.1X authentication on the next connection attempt or on the next automatic polling with the 802.1X switch.

  • Additional successful SCEP requests will overwrite any previously installed SCEP certificates for the same usage.

  • The Tera2 endpoint generates its own 3072-bit SCEP RSA private key when a certificate is requested. This key is used to construct a PKCS#10-formatted certificate request, which is then delivered to the SCEP server.

  • Endpoint SCEP certificate requests include the following parameters:

    • Subject Name: PCoIP Device Name

    • Subject Alt Name: MAC Address, User Principal Name (UPN), and the Fully Qualified Domain Name (FQDN)

The following cryptography algorithms are used to generate a Zero Client SCEP request:

  • Content Key Encryption Algorithm: RSAES-OAEP

  • Hash Algorithm: SHA384

  • Content Encryption Algorithm: AES-256-CBC

Alt text
OSD SCEP page

Alt text
AWI SCEP page

The following settings display on the OSD and AWI SCEP pages:

SCEP Parameters

Parameter Description
SCEP Server URL Enter the URL for the SCEP server that is configured to issue certificates for the device.
Certificate Usage There are two options:
  • Administrative Web Interface: Automatically request a custom certificate for connections to the AWI.
  • 802.1X: Automatically request a custom certificate for use in your 802.1X configuration.
    		•
    Challenge Password Enter the password required by the SCEP server
    Issuer CA Certificate Displays the Issuer CA certificate that signed the client certificate. (The endpoint no longer stores the Root CA certificate)
    Client Certificate Displays the name of the client certificate that has been installed in the device.
    CA Identifier A string provided by your CA issuer that uniquely identifies the Certificate Authority when providing certificates for SCEP requests.
    Request Certificates (button) After entering the SCEP server address, password, certificate usage, and CA Identifier, click this button to retrieve certificates.
    Status Displays the status of the request (for example, requesting, successful, failed).

    To obtain certificates using SCEP:

    1. Open the SCEP page:

      • From the OSD, select Options > Configuration > SCEP.
      • From the AWI, select Configuration > SCEP.

    2. Select the Certificate Usage type.

    3. Enter the URL and challenge password for the SCEP server.

    4. Enter the CA Identifier if required. Provide a valid CA Identifier or use "CAIdentifier" (default).

    5. Click Request Certificates to retrieve the certificate. The issuing CA and client certificates display after a successful SCEP request.

    The Status section displays the status of the request such as Requesting, Request completed, or Request failed.

    To delete your SCEP certificate:

    1. Browse to the AWI Upload > Certificates page.

    2. Click the Remove button beside the certificate you wish to remove.

    3. Click Apply and then Continue.