Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Obtaining Digital Certificates through SCEP (SRC CLI)

    You can use SCEP to help manage how you obtain digital certificates, or you can manually add certificates.

    For information about manually obtaining certificates, see Manually Obtaining Digital Certificates (SRC CLI).

    To add a signed certificate that you obtain through SCEP:

    1. Request a CA certificate through SCEP.
      user@host> request security get-ca-certificate url url ca_identifier ca_identifier

      where:

      • url is the URL of the certificate authority (which is the SCEP server).
      • ca-identifier is the identifier that designates the authority.

      For example, to request a certificate from the CA authority SdxCA at a specified URL on the server security_server:

      user@host> request security get-ca-certificate url 
      http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe 
      ca-identifier SdxCA
      
      Version: 3
      Serial Number: 5721058705923989279
      Signature Algorithm: SHA1withRSA
      Issuer: CN=SdxCA
      Valid From: Wed Sep 06 17:00:55 EDT 2006
      Valid Until: Sat Sep 03 17:10:55 EDT 2016
      Subject: CN=SdxCA
      Public key: RSA
      Thumbprint Algorithm: SHA1
      Thumbprint: 3c 57 a9 77 af 83 3 e9 c7 1e ee e2 4a e8 ff f3 89 f4 11 a9
      Do you want to add the above certificate as a trusted CA [yes,no] ? (no) y
    2. Request that the certificate authority automatically sign the certificate request.
      user@host> request security enroll subjectsubjectpassword password

      where:

      • subject is the distinguished name of the SRC host; for example cn=myhost.
      • password is the password received from the certificate authority for the specified subject.

      For example, to request a certificate from the CA authority SdxCA at a specified URL on the server security_server:

      user@host> request security enroll url http://security_server:8080/ejbca/publicweb/apply/scep/pkiclient.exe identifier web ca-identifier SdxCA subject cn=myhost password mypassword 
      Received certificate:
      Version: 3
      Serial Number: 6822890691617224432
      Signature Algorithm: SHA1withRSA
      Issuer: CN=SdxCA
      Valid From: Tue Sep 19 16:33:11 EDT 2006
      Valid Until: Thu Sep 18 16:43:11 EDT 2008
      Subject: CN=myhost
      Public key: RSA
      Do you want to install the above certificate [yes,no] ? (no) y
    3. Verify that the certificate is part of the SRC configuration.
      user@host> show security certificate
      web subject:CN=myhost

      If there are no certificates on the system, the CLI displays the following message:

      No entity certificates in key store

    Modified: 2016-12-29