Configuring SCEP support on Trust Protection Foundation

Trust Protection Foundation uses it's own built-in VEDSCEP application server to manage Simple Certificate Enrollment Protocol (SCEP) certificates. When VEDSCEP receives an initial GET CA request from a network device, it returns the corresponding CA root certificate chain and its own registration authority (RA) certificate.

When Trust Protection Foundation receives the subsequent enrollment request, it first creates the certificate object in the Policy tree and then submits the certificate signing request (CSR) to the appropriate certificate authority (CA) for enrollment. After the CA signs the certificate, Trust Protection Foundation retrieves the certificate from the CA and then returns the certificate to the SCEP device.

So, as part of SCEP configuration, you must configure both NDE and CA templates.

NOTE  Before you begin this task, make sure you have View and Write permissions to the Policy object where you want to define the NDE settings.

To configure NDE

  1. From the Platform menu bar, click Policy Tree.

  2. In the Policy tree, do the following: 

    1. Create a policy object that can be used to hold the SCEP certificates.

      TIP  Take some thought about the storage location for certificates in the Policy tree. By default, the policy object you specify in the NDE settings is the location where Trust Protection Foundation stores certificate objects for each certificate enrolled using that CA. For more information, see Using a policy to configure NDE.

    2. Create at least one CA template.

      If you want multiple CAs, you must define a separate CA template for each CA. For more information, see Creating CA template objects.

    3. (Optional) Define a credential policy for each CA .

    4. Define a credential policy for the RA.

      NOTE  The RA certificate is a Trust Protection Foundation signing certificate for the enrollment CA. In practice, the RA certificate can be a standard Web certificate. The only requirement is that the certificate must be signed by the enrollment CA. If you are managing certificate enrollment with multiple CAs, you must have a separate RA certificate for each CA. The RA certificate is used as a credential to validate the identity of the RA server. Both the SCEP-enabled device and the enrollment CA require the RA certificate before they can trust the Trust Protection Foundation server as the intermediary agent in the certificate enrollment process.

  3. (Optional) On the root Platforms tree, click the Network Device Enrollment tab, and then configure the Default CA and One-Time Challenge sections.

    Add the appropriate policy settings. For more information, see Network device enrollment settings—Platforms and Server object.

  4. On the Server object's Network Device Enrollment tab, add the appropriate settings.

    For more information, see Network device enrollment settings—Platforms and Server object.

  5. To manage the storage location for certificates, click the Rules tab and configure rules.

    For more information, see About Network Device Enrollment rules.

  6. To test certificate generation, install a SCEP client tool such as sscep. For more information, see our support article, How to Setup to work with Network Device Enrollment.

    • If there is only one CA, use the base VEDSCEP URL. For example, http://VED_server_address/vedscep/.
    • For multiple CAs, use the base VEDSCEP URL and the CA Ident value from the Policy object.
    • If you designated a credential and rules to store certificates in a special folder, append the folder and the credential to the VEDSCEP URL.