Using rules to manage SCEP Certificate objects

You can use rules to control inbound Simple Certificate Enrollment Protocol (SCEP) requests. The rules manage the certificate storage location in Trust Protection Platform based on the request content, existing certificate information, or CA configuration settings.

To create rules for SCEP Certificate object storage

  1. From the Platform menu bar, click Policy Tree.
  2. Navigate to Platforms and click the server object.
  3. Click the Network Device Enrollment tab, and then click the Rules tab.
  4. Click Add.

  5. To store the SCEP Certificate objects in a Policy folder, set the Container and select Use Container if certificate criteria.

  6. (Optional) In the Certificate Origin field, enter the friendly name to be used when new SCEP Certificate objects are added to Trust Protection Platform. The object name will automatically receive the SCEP prefix when created.
  7. (Optional) To require an additional Challenge Password for storage on the Policy folder, select a Password Credential. If the credential is the same as the Default Challenge Password that you specified in the Platforms NDE tab, the rule is ignored.
  8. (Optional) To override the Default CA, type a CA Ident string, select a Certificate Authority, which is a CA template, and then set the RA Certificate Credential.
  9. (Optional) Enable Match X.509 Subject to existing certificate object to use the same certificate object for renewal requests. This means that if a customer enrolls a certificate via SCEP and then, a year later, requests SCEP again, the system will attempt to match the existing certificate object using the CSR’s Subject, provided this option is enabled. If the option is disabled, the system will simply create a new object.


    When you enable this option, you will have the sub-option (not shown) to Limit certificate objects by CA ident, which restricts the search for the existing certificate object to the corresponding policy folder only, based on the CA ident included in the SCEP enrollment request.
  10. Click Save.

  11. In the Settings section, enable or disable rules. Use the following chart to determine the appropriate check boxes for managing SCEP rules

    Nothing appears until you click Save

    • To enable and show rules, select the appropriate check boxes, and then click Save.
    • To disable and hide rules, clear the appropriate check boxes, and then click Save.
    • To require the challenge password to manage the certificate storage location, select Match Challenge Password to folder.

    • To require both a challenge password and the folder Distinguished Name (DN) to manage the certificate storage location, select Accept folder in Challenge Password.

    If you defined this rule...

    Enable or disable the rule with this check box

    Corresponding SCEP Rule Type

    Container

    Match X509 Subject to existing certificate object

    Provided Container

    Challenge Password

    Accept container in challenge password

    Select via Password

    Challenge Password

    Match challenge password to container Select via Password

    Use Container if

    Allow X.509 Subject container rules

    Subject Match

    Default CA (all settings)

    Support additional CAs configured on policies CA Ident URL
  12. In the Configured SCEP Rules section, correct any rules that appear in red text, and then click Save.