Before you begin
The commands in the steps
that follow include several variables that are described in
Table 1. Determine the values for these variables
and record the information in the blank boxes:
Table 1. Information you need to enable Simple Certificate Enrollment Protocol (SCEP)Information needed |
Where to find this information |
Record your value here |
---|
ca_label - The label of your
CA certificate in RACF®. |
See Table 1. |
|
ra_label - The label of your
RA certificate in RACF. |
See Table 1. |
|
ca_ring - The PKI Services SAF key
ring. |
See Table 1. |
|
ca_expires - The date the
PKI Services CA certificate expires. |
See Table 1. |
|
daemon - The user ID for
the PKI daemon. |
See Table 1. |
|
ra_backup_dsn - The name
of the encrypted data set containing the backup copy of your new RA
certificate and private key. |
See Table 1. |
|
ra_dn - The RA's distinguished
name. |
See Table 1. |
|
Procedure
Perform the following steps to enable
PKI Services to process
Simple Certificate Enrollment Protocol (SCEP) requests:
- (Optional) Create your PKI Services RA certificate
by following these steps, if you haven't done so already. (This is
optionally done by IKYSETUP.) If you already created an RA certificate,
skip to Step 2.
- To create an RA certificate, execute the following RACF command from the TSO command line:
RACDCERT ID(daemon) GENCERT SUBJECTSDN(ra_dn) KEYUSAGE(HANDSHAKE)
SIGNWITH(CERTAUTH LABEL(‘ca_label’) NOTAFTER(DATE(ca_expires))
WITHLABEL(‘ra_label’))
- Backup the new PKI Services RA certificate
and private key to a password-encrypted data set (ra_backup_dsn).
Remember to record and store your encryption password in case you
ever need to recover the certificate or private key.
RACDCERT ID(daemon) EXPORT(LABEL(‘ra_label’)) DSN(ra_backup_dsn)
FORMAT(PKCS12DER) PASSWORD(‘encryption-pw’)
- Add the new RA certificate to the PKI Services key ring.
RACDCERT ID(daemon) CONNECT(LABEL(‘ra_label’) RING(ca_ring))
- Edit the PKI Services configuration
file (/etc/pkiserv.conf) and set the RALabel directive
in the SAF section to specify the label (ra_label)
of your PKI Services RA
certificate. (The default in IKYSETUP is Local PKI RA.
For details, see (Optional) Steps for updating the configuration file.)
[SAF]
KeyRing=PKISRVD/CAring
# The label of the PKI Services RA certificate
RALabel=Local PKI RA
- Edit the PKI Services configuration
file (/etc/pkiserv.conf) to change the EnableSCEP directive
in the CertPolicy section setting from F(False) to T(True).
[CertPolicy]
# Enable the Simple Certificate Enrollment Protocol, (T)rue or (F)alse
EnableSCEP=T
- Edit the PKI Services template
file (/etc/pkiserv.tmpl or pkitmpl.xml)
and customize the <PREREGISTER> section of the 5-Year
SCEP Certificate – Preregistration template as desired or
create a new preregistration template. (Refer to the list in Variables used in the <PREREGISTER> section for valid variables and values.
(defaults)
AuthenticatedClient=AutoApprove
SemiauthenticatedClient=AdminApprove
UnauthenticatedClient=Reject
SubsequentRequest=AutoApprove
RenewalRequest=AutoApprove
- Edit the <CONTENT> section of your preregistration template
to allow the PKI administrator to specify subject distinguished name
and alternate name fields that the SCEP client must provide to authenticate.
Specify only subject distinguished name and alternate name fields
here. All other fields are ignored. (For about customizing the end-user
Web pages, see Customizing the end-user Web application if you use REXX CGI execs.)
(defaults)
%%SerialNumber (Optional)%%
%%UnstructAddr (Optional)%%
- Edit the <CONSTANT> section of your preregistration
template to supply any other desired value, such as MAIL or ORG, that
must be included for every SCEP preregistration request. Any subject
distinguished name and alternate name fields you specify here must
match the information (in the subsequent certificate request) sent
by the SCEP client to authenticate the certificate request.
- Edit the HTTP Server environment variables file, httpd.envvars,
and update the LIBPATH variable to include /usr/lpp/pkiserv/lib.
- Stop and restart PKI Services.
When you are done, you have enabled your CA domain to accept
SCEP preregistration requests and process certificate requests from
preregistered SCEP clients.