Overview of SCEP preregistration

To request certificates using SCEP, a SCEP requestor must be preregistered to PKI Services, your CA. You can preregister SCEP clients in batches using the pkiprereg utility (see Using the pkiprereg utility) or the PKI administrators can preregister individual SCEP clients (one client at a time) using the end-user web pages.

When PKI administrators preregister a SCEP client, they do so by using the end-user web page for requesting a certificate and selecting the SCEP (preregistration) certificate template called 5-Year SCEP Certificate – Preregistration. (See Steps for preregistering an SCEP client.) The PKI administrator fills out the request form by specifying the device or client name of the SCEP client, a passphrase for client authentication, and additional (optional) subject name and alternate name information. You can customize the <CONSTANT> section of the SCEP (preregistration) certificate template to supply the additional optional information.

When a PKI administrator submits the form for a SCEP (preregistration) certificate request, PKI Services creates a preregistration record, not an actual certificate request, in the VSAM ObjectStore data set (request database). The client name is translated to lowercase characters, truncated to 32 characters if longer, and saved as the Requestor to support searching of the ObjectStore. (Each preregistration record must have a client name that is unique in the first 32 characters, regardless of upper or lowercase.)

The preregistration record contains the template nickname, passphrase, and additional (optional) subject name and alternate name values. Any other information (unrelated to the subject name or alternate name) specified on the request form is ignored.