Steps for enabling Simple Certificate Enrollment Protocol (SCEP)
Before you begin
The commands in the steps
that follow include several variables that are described in Table 1. Determine the values for these variables
and record the information in the blank boxes:
Information needed | Where to find this information | Record your value here |
---|---|---|
ca_label - The label of your CA certificate in RACF®. | See Table 1. | |
ra_label - The label of your RA certificate in RACF. | See Table 1. | |
ca_ring - The PKI Services SAF key ring. | See Table 1. | |
ca_expires - The date the PKI Services CA certificate expires. | See Table 1. | |
daemon - The user ID for the PKI daemon. | See Table 1. | |
ra_backup_dsn - The name of the encrypted data set containing the backup copy of your new RA certificate and private key. | See Table 1. | |
ra_dn - The RA's distinguished name. | See Table 1. |
Procedure
Perform the following steps to enable PKI Services to process Simple Certificate Enrollment Protocol (SCEP) requests:
- (Optional) Create your PKI Services RA certificate
by following these steps, if you have not done so already. (This is
optionally done by IKYSETUP.) If you already created an RA certificate,
skip to Step 2.
- To create an RA certificate, execute the following RACF command from the TSO command line:
RACDCERT ID(daemon) GENCERT SUBJECTSDN(ra_dn) KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL(‘ca_label’)) NOTAFTER(DATE(ca_expires)) WITHLABEL(‘ra_label’)
- Back up the new PKI Services RA certificate
and private key to a password-encrypted data set (ra_backup_dsn). Remember to record and store your encryption password in case
you ever need to recover the certificate or private key.
RACDCERT ID(daemon) EXPORT(LABEL(‘ra_label’)) DSN(ra_backup_dsn) FORMAT(PKCS12DER) PASSWORD(‘encryption-pw’)
- Add the new RA certificate to the PKI Services key ring.
RACDCERT ID(daemon) CONNECT(LABEL(‘ra_label’) RING(ca_ring))
- To create an RA certificate, execute the following RACF command from the TSO command line:
- Edit the PKI Services configuration
file (/etc/pkiserv.conf) and set the RALabel directive in the SAF section to specify the label (ra_label) of your PKI Services RA certificate.
(The default in IKYSETUP is Local PKI RA. For details,
see (Optional) Steps for updating the configuration file.)
[SAF] KeyRing=PKISRVD/CAring # The label of the PKI Services RA certificate RALabel=Local PKI RA
- Edit the PKI Services configuration file (/etc/pkiserv.conf) to change the EnableSCEP directive in the CertPolicy section setting from F(False) to T(True).
[CertPolicy] # Enable the Simple Certificate Enrollment Protocol, (T)rue or (F)alse EnableSCEP=T
- Edit the PKI Services template file (/etc/pkiserv.tmpl or pkitmpl.xml) and customize the <PREREGISTER> section of the 5-Year SCEP Certificate – Preregistration template as you want or create a new preregistration template. (Refer
to the list in Variables used in the <PREREGISTER> section for valid variables
and values.(defaults)
AuthenticatedClient=AutoApprove SemiauthenticatedClient=AdminApprove UnauthenticatedClient=Reject SubsequentRequest=AutoApprove RenewalRequest=AutoApprove
- Edit the <CONTENT> section of your preregistration template
to allow the PKI administrator to specify subject distinguished name
and alternate name fields that the SCEP client must provide to authenticate.
Specify only subject distinguished name and alternate name fields
here. All other fields are ignored. (For about customizing the end-user
web pages, see Customizing the end-user web application if you use REXX CGI execs.)(defaults)
%%SerialNumber (Optional)%% %%UnstructAddr (Optional)%%
- Edit the <CONSTANT> section of your preregistration
template to supply any other value you want, such as MAIL or ORG,
that must be included for every SCEP preregistration request. Any
subject distinguished name and alternate name fields you specify here
must match the information (in the subsequent certificate request)
sent by the SCEP client to authenticate the certificate request.
%%Org=The Firm%%
- Edit the HTTP Server environment variables file, vhost80.conf file, and update the LIBPATH variable to include /usr/lpp/pkiserv/lib.
- Stop and restart PKI Services.