Using rules to manage SCEP Certificate objects
You can use rules to control inbound Simple Certificate Enrollment Protocol (SCEP) requests. The rules manage the certificate storage location in Trust Protection Platform based on the request content, existing certificate information, or CA configuration settings.
To create rules for SCEP Certificate object storage
- From the Platform menu bar, click Policy Tree.
- Navigate to Platforms and click the server object.
- Click the Network Device Enrollment tab, and then click the Rules tab.
-
Click Add.
-
To store the SCEP Certificate objects in a Policy folder, set the Container and select Use Container if certificate criteria.
- (Optional) In the Certificate Origin field, enter the friendly name to be used when new SCEP Certificate objects are added to Trust Protection Platform. The object name will automatically receive the SCEP prefix when created.
- (Optional) To require an additional Challenge Password for storage on the Policy folder, select a Password Credential. If the credential is the same as the Default Challenge Password that you specified in the Platforms NDE tab, the rule is ignored.
- (Optional) To override the Default CA, type a CA Ident string, select a Certificate Authority, which is a CA template, and then set the RA Certificate Credential.
- (Optional) Enable Match X.509 Subject to existing certificate object to use the same certificate object for renewal requests. This means that if a customer enrolls a certificate via SCEP and then, a year later, requests SCEP again, the system will attempt to match the existing certificate object using the CSR’s Subject, provided this option is enabled. If the option is disabled, the system will simply create a new object.
When you enable this option, you will have the sub-option (not shown) to Limit certificate objects by CA ident, which restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request. -
Click Save.
-
In the Settings section, enable or disable rules. Use the following chart to determine the appropriate check boxes for managing SCEP rules
Nothing appears until you click Save
- To enable and show rules, select the appropriate check boxes, and then click Save.
- To disable and hide rules, clear the appropriate check boxes, and then click Save.
-
To require the challenge password to manage the certificate storage location, select Match Challenge Password to folder.
- To require both a challenge password and the folder Distinguished Name (DN) to manage the certificate storage location, select Accept folder in Challenge Password.
If you defined this rule...
Enable or disable the rule with this check box
Corresponding SCEP Rule Type
Container
Match X509 Subject to existing certificate object Provided Container
Challenge Password
Accept container in challenge password
Select via Password
Challenge Password
Match challenge password to container Select via Password Use Container if
Allow X.509 Subject container rules Subject Match
Default CA (all settings)
Support additional CAs configured on policies CA Ident URL - In the Configured SCEP Rules section, correct any rules that appear in red text, and then click Save.