Distributing certificates

In brief, the procedure for distributing certificates via SCEP is as follows:





  1. Generate the key pair in the VPN router. A key pair is generated in the VPN router. The public part of this key pair is later sent together with the request to the SCEP server. The private key remains in the SCEP client (VPN router). The fact that the private key never has to leave the device is a major security gain over manual certificate distribution, for example with PKCS#12 containers.
  2. Retrieve CA and RA certificates. For communication with the RA/CA, the appropriate RA and CA certificates must be available in the VPN router. To ensure that CA certificates retrieved via SCEP do genuinely originate from the CA, an automated check can be carried out with the use of a fingerprint which is defined in advance. SCEP itself has no mechanism for clients to conduct automated authentication of CA certificates. If the administrator of the VPN router does not have direct access to the CA then the fingerprint can be checked manually, for example with a telephone call to the CA admin.
  3. Generate and encrypt the request for a device certificate. To place a request for a system or device certificate, the SCEP client collects all of the configured information such as the identity of the requester device and, if applicable, the "challenge phrase" or password for automatic request processing by the SCEP server. This request is signed with the private key.
  4. Send the request to the SCEP. The SCEP client then sends the request along with its public key to the SCEP server.
  5. Check the certificate request on the SCEP server and issue the device certificate. The SCEP server can decrypt the request and subsequently issues a system or device certificate to the requester. SCEP has the following methods for request processing:
    • Automatic processing requires the requester's authenticity to be assured by means of the challenge phrase. The challenge phrase can, for example, be generated automatically by a Windows CA server using mscep.dll. The phrase is valid for one hour. If the challenge phrase submitted with the certificate request agrees with the valid value, the system certificate is issued automatically.
    • For manual processing, the SCEP server puts the certificate request "on hold" until the acceptance or rejection has been received from the CA administrator. While waiting, the SCEP client regularly checks with the SCEP server to see if the certificate has been issued yet.
    • With RA-AutoApprove, the client is authenticated using a valid certificate issued by the CA.
  6. Retrieve device certificate from the SCEP server Once the certificate has been issued, the client's regular polling informs it that the certificate is ready for retrieval.
  7. Check the device certificate and present it for VPN operation

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo