Steps for enabling Simple Certificate Enrollment Protocol (SCEP)

Before you begin

The commands in the steps that follow include several variables that are described in Table 1. Determine the values for these variables and record the information in the blank boxes:

Table 1. Information you need to enable Simple Certificate Enrollment Protocol (SCEP)
Information needed	Where to find this information	Record your value here
`ca_label` - The label of your CA certificate in RACF®.	See Table 1.
`ra_label` - The label of your RA certificate in RACF.	See Table 1.
`ca_ring` - The PKI Services SAF key ring.	See Table 1.
`ca_expires` - The date the PKI Services CA certificate expires.	See Table 1.
`daemon` - The user ID for the PKI daemon.	See Table 1.
`ra_backup_dsn` - The name of the encrypted data set containing the backup copy of your new RA certificate and private key.	See Table 1.
`ra_dn` - The RA's distinguished name.	See Table 1.

Procedure

Perform the following steps to enable PKI Services to process Simple Certificate Enrollment Protocol (SCEP) requests:

(Optional) Create your PKI Services RA certificate by following these steps, if you haven't done so already. (This is optionally done by IKYSETUP.) If you already created an RA certificate, skip to Step 2.
1. To create an RA certificate, execute the following RACF command from the TSO command line:
```
RACDCERT ID(daemon) GENCERT SUBJECTSDN(ra_dn) KEYUSAGE(HANDSHAKE) 
  SIGNWITH(CERTAUTH LABEL(‘ca_label’) NOTAFTER(DATE(ca_expires)) 
  WITHLABEL(‘ra_label’))
```
2. Backup the new PKI Services RA certificate and private key to a password-encrypted data set (ra_backup_dsn). Remember to record and store your encryption password in case you ever need to recover the certificate or private key.
```
RACDCERT ID(daemon) EXPORT(LABEL(‘ra_label’)) DSN(ra_backup_dsn) 
  FORMAT(PKCS12DER) PASSWORD(‘encryption-pw’)
```
3. Add the new RA certificate to the PKI Services key ring.
```
RACDCERT ID(daemon) CONNECT(LABEL(‘ra_label’) RING(ca_ring))
```
Edit the PKI Services configuration file (/etc/pkiserv.conf) and set the RALabel directive in the SAF section to specify the label (ra_label) of your PKI Services RA certificate. (The default in IKYSETUP is Local PKI RA. For details, see (Optional) Steps for updating the configuration file.)
```
[SAF] 
KeyRing=PKISRVD/CAring 
# The label of the PKI Services RA certificate 
RALabel=Local PKI RA 
```
Edit the PKI Services configuration file (/etc/pkiserv.conf) to change the EnableSCEP directive in the CertPolicy section setting from F(False) to T(True).
```
[CertPolicy]
# Enable the Simple Certificate Enrollment Protocol, (T)rue or (F)alse 
EnableSCEP=T
```
Edit the PKI Services template file (/etc/pkiserv.tmpl or pkitmpl.xml) and customize the <PREREGISTER> section of the 5-Year SCEP Certificate – Preregistration template as desired or create a new preregistration template. (Refer to the list in Variables used in the <PREREGISTER> section for valid variables and values.
(defaults)
```
AuthenticatedClient=AutoApprove
SemiauthenticatedClient=AdminApprove
UnauthenticatedClient=Reject
SubsequentRequest=AutoApprove
RenewalRequest=AutoApprove
```
Edit the <CONTENT> section of your preregistration template to allow the PKI administrator to specify subject distinguished name and alternate name fields that the SCEP client must provide to authenticate. Specify only subject distinguished name and alternate name fields here. All other fields are ignored. (For about customizing the end-user Web pages, see Customizing the end-user Web application if you use REXX CGI execs.)
(defaults)
```
%%SerialNumber (Optional)%% 
%%UnstructAddr (Optional)%%
```
Edit the <CONSTANT> section of your preregistration template to supply any other desired value, such as MAIL or ORG, that must be included for every SCEP preregistration request. Any subject distinguished name and alternate name fields you specify here must match the information (in the subsequent certificate request) sent by the SCEP client to authenticate the certificate request.
```
%%Org=The Firm%%
```
Edit the HTTP Server environment variables file, httpd.envvars, and update the LIBPATH variable to include /usr/lpp/pkiserv/lib.
Stop and restart PKI Services.

When you are done, you have enabled your CA domain to accept SCEP preregistration requests and process certificate requests from preregistered SCEP clients.