In the next few sections, we install the CA services and enroll certificates for OpenBSD gateway. Installation of Windows2000 server is not in scope of this document.
Fill in the Distinguished Name (DN) of your CA and finish the installation.
Next, download the SCEP package from Microsoft updates. It might be tricky to find at first time, look for "Windows Update Catalog" and "Find Microsoft Windows updates". From there, search with keyword "scep". If you really cannot find it, you can try this local package. I strongly recommend to use the Microsoft updates if you want to keep up the latest version of the software.
Run cepsetup.exe and skip the dialog by pressing "Next". The next dialog is about automatic enrollment. For this example setup, we choose to not require challenge password. Uncheck "Require SCEP..." and press "Next".
Next, we make our RA certificate pair. Fill in the DN parameters.
You can adjust the private key sizes and other parameters from "Advanced Enrollment Options". Click "Next" and the following window should appear:
Remember the URL http://cacerver/certsrv/mscep/mscep.dll, we will need it later.
Next, start the CA server from Start -> Programs -> Administrative Tools -> Certificate Authority. Check that you have two issued certificates, one for encryption and one for signing. There's really no difference in the certificate DN, you just have two different RA certificates.
You should also take a look at the CA certificate. Right-click on the CA icon ("www.klake.org SCEP CA" in our example) and choose Properties -> View Certificate.
Write down the SHA1 thumbprint, or leave the window on your server console.
Get CA certificate
Next, edit the file sscep.conf. For CA certificate, you need the following configuration file keys:
# URL of the SCEP server URL http://caserver/certsrv/mscep/mscep.dll # This is one is needed with all operations CACertFile ./ca.crt # Display fingerprint algorithm (md5/sha1) FingerPrint sha1 |
URL is the very same url presented in "Setup Successful" dialog earlier. Also note the FingerPrint, Windows2000 CA likes to present the certificate fingerprint using SHA1. Get CA certificate:
$ ./sscep getca -f sscep.conf ./sscep: requesting CA certificate ./sscep: valid response from server ./sscep: found certificate with subject: /C=FI/O=www.klake.org/CN=www.klake.org RA issuer: /C=FI/O=www.klake.org/CN=www.klake.org SCEP CA usage: Digital Signature, Non Repudiation SHA1 fingerprint: FC:3C:0E:16:9A:33:D5:5C:A7:E6:01:1F:96:94:4E:C4:79:44:BF:FD ./sscep: certificate written as ./ca.crt-0 ./sscep: found certificate with subject: /C=FI/O=www.klake.org/CN=www.klake.org RA issuer: /C=FI/O=www.klake.org/CN=www.klake.org SCEP CA usage: Key Encipherment, Data Encipherment SHA1 fingerprint: 1E:8D:34:37:AF:49:08:31:9B:82:61:64:B3:19:59:FE:1E:11:30:51 ./sscep: certificate written as ./ca.crt-1 ./sscep: found certificate with subject: /C=FI/O=www.klake.org/CN=www.klake.org SCEP CA issuer: /C=FI/O=www.klake.org/CN=www.klake.org SCEP CA usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign SHA1 fingerprint: 5F:B2:7B:C5:0F:7A:78:4C:B2:09:E4:B0:54:DA:E0:AC:F5:B9:CD:E3 ./sscep: certificate written as ./ca.crt-2 |
We got three certificates. The last one (bolded) is the actual CA certificate. That is because it is selfsigned (it doesn't have to be, but in our setup, stand-alone root CA, it is) and the usage says "Certificate Sign, CRL Sign". The other two are needed for communication with the CA (RA certificates). The one with "usage: Digital Signature, Non Repudiation" is signing RA certificate, and the other one with "usage: Key Encipherment, Data Encipherment" is for encryption. Check that the SHA1 fingerprint is right and verify other certificates:
$ openssl verify -CAfile ca.crt-2 ca.crt-0 ca.crt-1 ca.crt-0: OK ca.crt-1: OK |
Make certificate request
PKCS#10 certificate request and RSA private key are generated with the script mkrequest (included in the SSCEP package). Edit the variables in beginning of the script if your company policy requires some specific DN.
# Prefix - key will be named as PREFIX.key and request PREFIX.csr PREFIX=local # # Additional DN components. Add if your company policy requires them. # commonName is assigned automatically from the subjectAltName, or if your # CA requires the use of unstructuredName as a DN, you must fill in # the relevant attributes below. # # countryName (example: FI) COUNTRY= # # stateOrProvinceName (example: Uusimaa) STATE= # # localityName (example: Helsinki) LOCALITY= # # organizationName (example: www.klake.org) ORGANIZATION= # # organizationalUnitName (example: Sales) ORGANIZATIONAL_UNIT= # # Some CAs may require you to use Cisco-style subject. # OpenBSD isakmpd don't care about the subject, only that matter is the # subjectAltName extension. If the CA won't honor that, the certificate # is useless for isakmpd. # UNSTRUCTURED_NAME= UNSTRUCTURED_ADDRESS= SERIAL_NUMBER= # RSA key length, minimum of 1024 recommended. KEYBITS=1024 |
mkrequest takes three paramers, first one defines your subjectAltName type: -ip, -dns or -email. For gateway, we should use -ip or -dns. Second parameter is the actual subjectAltName. The last argument is optional challenge passphrase. In our example, we generate a request with IP address subjectAltName of 10.100.100.10 without challenge passphrase:
$ ./mkrequest -ip 10.100.100.10 Generating RSA private key, 1024 bit long modulus .............++++++ ....................................................++++++ e is 65537 (0x10001) Using configuration from .8824client.cnf |
Enroll certificate
Before we can make the enrollment, we must add a few more configuration file keys.
# URL of the SCEP server URL http://caserver/certsrv/mscep/mscep.dll # This is one is needed with all operations CACertFile ./ca.crt-0 # Private key created with mkrequest PrivateKeyFile ./local.key # Where to write successfully enrolled certificate LocalCertFile ./local.crt # If your CA/RA uses a different certificates for encyption # and signing, define this EncCertFile ./ca.crt-1 |
Note that CACertFile is the signing RA certificate and EncCertFile is the other RA certificate. CA certificate is not needed in enrollment. When all is set up, enroll with the command:
$ ./sscep enroll -f sscep.conf ./sscep: sending certificate request ./sscep: valid response from server ./sscep: pkistatus: PENDING ./sscep: requesting certificate (#1) ./sscep: valid response from server ./sscep: pkistatus: PENDING ./sscep: requesting certificate (#2) ./sscep: valid response from server ./sscep: pkistatus: PENDING ... |
OK, it is in state PENDING. Now you should see the request in CA server "Pending Requests". Issue the certificate:
The next request should be successful:
... ./sscep: requesting certificate (#NNN) ./sscep: valid response from server ./sscep: pkistatus: SUCCESS ./sscep: certificate written as ./local.crt |
That's it! Install the files local.key, local.crt and ca.crt-2 so that isakmpd can find them:
Filename | Install as |
local.crt | /etc/isakmpd/certs/local.crt |
local.key | /etc/isakmpd/private/local.key |
ca.crt-2 | /etc/isakmpd/ca/ca.crt |
If you are not sure about the right CA certificate, you can verify your
local certificate any time using command
"openssl verify -CAfile ca.crt-2 local.crt".
THE AUTHOR IS NOT RESPONSIBLE OF ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT.