Scep
These scenarios show how to configure the SCEP protocol to retrieve certificates from a PKI server.
Test SCEP Protocol With Linux PKI
Description
In this scenario, the SCEP protocol is used to retrieve digital certificates (X509) from a Linux PKI server.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system certificate scep csr CSR cgi-path /scep set system certificate scep csr CSR cipher aes set system certificate scep csr CSR digest sha256 set system certificate scep csr CSR distinguished-names CN=MyUserCert set system certificate scep csr CSR encrypted-password U2FsdGVkX1+Ijmy+Au4dDxch3/J49EjExHbwut6S6qw= set system certificate scep csr CSR port 8080 set system certificate scep csr CSR url 'http://10.215.168.1' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.176 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.176/0.176/0.176/0.000 ms
Step 3: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------------------- ca Valid Encipherment & Signature Apr 16 09:19:39 2025 GMT Apr 11 09:19:39 2045 GMT usercert Valid - Sep 5 14:07:22 2025 GMT Sep 5 14:07:22 2026 GMT
Step 4: Run command pki show certificate running://auth/certificates/scep/CSR/ca/ca.der at DUT0 and check if output contains the following tokens:
Subject: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ESShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 7c:28:60:8a:6f:42:5d:c8:44:f0:10:0d:61:e5:ca:40:11:bc:ea:f2 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ES Validity Not Before: Apr 16 09:19:39 2025 GMT Not After : Apr 11 09:19:39 2045 GMT Subject: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ES Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:de:b7:3b:d9:9b:e3:d3:57:9b:b0:33:67:c0:40: 4f:45:84:ea:c2:35:a6:08:3b:3a:fd:6d:fa:d7:2b: 3d:7f:1c:a1:92:15:08:8b:5c:02:ec:6a:66:46:c5: 6f:7f:9b:9d:c3:86:e1:97:47:9b:5e:ea:96:5b:bf: 68:35:96:4f:6e:64:c6:7d:f6:da:6b:f9:bf:98:b1: 32:63:ae:f4:5b:2f:cd:6d:d7:ef:db:01:12:b0:a4: 54:95:6e:e8:84:4a:0a:f1:13:83:13:a1:7a:1d:f4: 06:3f:e3:53:5d:9f:68:a1:a0:5c:51:05:ba:8c:da: 00:11:64:4b:e8:37:c3:70:43:9c:16:dd:46:fb:34: e4:3c:ae:a4:9a:a1:da:cf:a1:f5:93:13:a6:0e:68: 51:31:f7:26:63:a3:8b:47:c3:94:e4:34:d2:b0:36: cf:22:e5:81:dd:a4:01:e8:79:08:37:ad:7a:b9:da: 24:37:cc:53:f4:51:f8:b5:67:09:15:63:52:60:7f: b0:e2:f0:38:cd:3c:13:42:81:5f:e2:dd:e2:c5:37: f3:ef:05:8c:85:2f:2a:0a:f4:94:2f:70:56:7f:7d: a9:f6:ca:69:0b:a7:40:e1:fa:bc:f0:f4:01:7a:76: 55:f4:2a:57:43:8b:f1:87:58:f2:f4:db:23:26:33: f8:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: D3:97:2E:56:37:6A:89:77:01:D4:E3:42:0D:EC:E7:10:79:9C:E8:7C X509v3 Authority Key Identifier: keyid:D3:97:2E:56:37:6A:89:77:01:D4:E3:42:0D:EC:E7:10:79:9C:E8:7C DirName:/CN=Teldat-PKI/O=Teldat/L=Madrid/C=ES serial:7C:28:60:8A:6F:42:5D:C8:44:F0:10:0D:61:E5:CA:40:11:BC:EA:F2 X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption Signature Value: 5e:0d:47:96:a2:24:38:fa:62:5b:0c:c2:4e:59:23:79:40:1b: 88:d1:63:11:0b:ce:bc:63:46:cd:70:33:52:75:4b:85:c1:39: be:3c:ce:7c:66:53:63:b4:39:07:ec:ef:52:fe:fa:dc:c1:fb: e4:51:61:28:58:4f:90:71:83:50:7d:62:a9:16:fa:45:89:08: 5f:39:43:6a:b1:bb:ad:4e:6f:50:bc:07:4f:1c:5b:07:df:63: ec:44:20:48:b6:97:00:e2:9d:8e:42:9e:96:5f:71:7a:43:96: de:fd:66:6b:45:85:5d:e4:dc:bf:e9:34:64:4f:3a:7b:33:a0: 54:80:3b:9a:5b:1f:3f:3f:1c:09:a3:8e:d8:b6:2a:ba:b2:07: 87:fa:0f:a5:69:41:06:b1:14:6f:09:4f:bb:88:60:87:70:83: 31:73:ed:2a:03:ca:3c:19:0a:b2:24:61:c6:ce:09:97:ac:6e: da:cb:47:88:c5:f5:a7:74:d2:96:e0:cc:c3:b6:b7:f6:64:9f: ad:1c:7f:36:fd:39:7c:57:54:a5:e9:8a:82:90:4d:cd:74:99: 27:4d:f6:62:a6:96:c5:6e:d3:02:ec:c1:4d:5f:46:b6:82:75: 12:61:d7:a3:d6:70:f6:35:9d:9c:30:06:84:af:b2:cb:a5:a0: 5e:d3:1d:6c
Step 5: Run command pki show certificate running://auth/certificates/scep/CSR/user/cert at DUT0 and check if output contains the following tokens:
Subject: CN = MyUserCertShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 8 (0x8) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Teldat-PKI, O = Teldat, L = Madrid, C = ES Validity Not Before: Sep 5 14:07:22 2025 GMT Not After : Sep 5 14:07:22 2026 GMT Subject: CN = MyUserCert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:a5:64:31:50:6b:c2:e8:1e:d9:d7:ca:ca:71:96: 39:73:04:fe:52:5d:23:35:6d:4c:22:11:52:9f:b7: c8:58:22:a9:7d:40:7c:52:a1:d8:e0:b5:e6:42:19: 1d:36:b8:ac:bc:a8:8f:2c:ab:27:16:51:43:2d:66: 99:72:4f:ab:83:f9:af:ff:17:68:86:d1:80:38:ce: b7:54:2f:5f:8a:24:59:13:57:71:8d:4c:f2:da:ba: 0c:eb:95:b7:d5:93:6a:87:c3:a6:1c:65:50:75:41: da:ed:e6:9a:ea:a2:d1:f5:97:8c:21:67:0d:01:03: 01:01:66:9a:47:cf:57:db:5a:7e:9f:fa:6f:c3:15: c6:4e:5b:d1:ec:d2:e2:03:d7:ba:fa:34:60:96:6a: 95:9c:e5:27:cc:fd:92:2f:2e:98:68:5b:a9:3e:2d: ea:5a:d2:9c:de:64:52:b2:9b:c2:cf:24:55:4b:36: e2:d1:72:7a:b0:dd:14:e1:0f:ab:05:63:7f:91:1b: 90:46:eb:ec:5f:b1:5f:e6:96:de:13:ec:0c:30:ec: 33:8b:ba:20:21:9a:6f:ee:37:73:8b:6a:8b:98:97: 2d:38:82:5a:db:05:ac:ba:17:12:53:4d:e2:15:a8: 16:7e:b6:c3:83:d9:3b:9d:4f:e1:ce:49:a6:64:f6: 4c:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Key Identifier: EB:18:7A:04:AD:F1:F8:A1:A4:3B:97:74:72:BA:0A:88:BF:22:5B:69 X509v3 Authority Key Identifier: D3:97:2E:56:37:6A:89:77:01:D4:E3:42:0D:EC:E7:10:79:9C:E8:7C Signature Algorithm: sha256WithRSAEncryption Signature Value: c8:7c:0e:71:9f:8a:40:43:73:4d:bf:5f:c1:de:65:58:f3:c2: 57:ed:ed:e7:fc:61:0e:05:fa:6e:5b:1e:e9:84:0b:05:e7:0a: 88:35:c1:1f:90:be:b2:df:48:52:8b:7e:0f:59:eb:c8:91:57: 73:96:2a:1e:8f:1c:c1:73:e1:3c:fa:b6:5f:2d:20:76:08:3c: ad:6d:7f:6d:b1:57:0f:19:ed:e7:8d:be:34:64:8b:9f:05:ef: 19:c7:04:4a:b2:87:ad:ad:d7:fc:8c:5d:e3:ef:8c:3e:42:f7: 0a:ef:33:ad:ee:1b:47:ef:a5:83:28:4e:74:dc:b3:cb:90:c1: e0:d1:6a:d1:f4:24:b1:67:6d:d4:10:22:aa:e9:5b:08:0d:fd: c2:c7:4e:f1:e4:db:58:01:6f:0a:d4:5a:60:3c:51:74:33:8c: d5:45:d2:eb:55:2d:11:5e:e2:e3:d8:90:44:b1:e3:49:d5:79: 44:ae:32:c6:23:02:12:4b:d2:55:ba:c4:d1:b2:40:57:65:84: 12:a5:8a:6c:74:38:48:40:b4:14:d5:45:7c:d0:d3:ea:b9:e8: 1b:3e:e3:b8:c8:42:8a:b8:18:00:20:04:e7:58:7e:25:21:82: 5e:5c:97:73:0e:cb:59:b3:5a:19:83:02:7f:8d:bf:64:62:63: 79:c2:62:75
Test SCEP Protocol With Windows Server PKI
Description
In this scenario, the SCEP protocol is used to retrieve digital certificates (X509) from a Windows PKI server.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set protocols static route 192.168.212.0/22 next-hop 10.215.168.1 set system certificate scep csr CSR cgi-path CertSrv/mscep/mscep.dll/pkiclient.exe set system certificate scep csr CSR distinguished-names CN=MyUserCert set system certificate scep csr CSR encrypted-password U2FsdGVkX19QV4CaPSf4VJqAAjX72w9Ug9dOXzGnpN67vCiAwSF4lQUektMh88EpbY+n2weeHBHvF7VBkufa0A== set system certificate scep csr CSR url 'http://192.168.213.25/' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.230 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.230/0.230/0.230/0.000 ms
Step 3: Ping IP address 192.168.213.25 from DUT0:
admin@DUT0$ ping 192.168.213.25 count 1 size 56 timeout 1Show output
PING 192.168.213.25 (192.168.213.25) 56(84) bytes of data. 64 bytes from 192.168.213.25: icmp_seq=1 ttl=126 time=0.559 ms --- 192.168.213.25 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.559/0.559/0.559/0.000 ms
Step 4: Run command pki scep show CSR at DUT0 and check if output matches the following regular expressions:
ca\s+Valid usercert\s+ValidShow output
------------------------------------------------------------------------------------- Certificate Status Usage NotBefore NotAfter ------------------------------------------------------------------------------------- ca Valid Signature Dec 14 10:00:35 2023 GMT Dec 14 10:10:34 2053 GMT ra Valid Encipherment Dec 21 09:33:45 2023 GMT Dec 20 09:33:45 2025 GMT ra-2 Valid Signature Dec 21 09:33:43 2023 GMT Dec 20 09:33:43 2025 GMT usercert Valid - Sep 5 13:42:38 2025 GMT Sep 5 17:42:38 2025 GMT
Step 5: Run command pki show certificate running://auth/certificates/scep/CSR/ca/ca.der at DUT0 and check if output contains the following tokens:
Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CAShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 1a:ea:6d:57:94:fe:a5:9c:42:14:81:ca:79:1b:75:d7 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Dec 14 10:00:35 2023 GMT Not After : Dec 14 10:10:34 2053 GMT Subject: DC = com, DC = scep, CN = scep-TELDATPKI-CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:c5:be:9a:32:e2:a5:42:6c:b8:42:b5:7b:21: e5:71:b0:79:46:b1:41:bd:25:c3:40:e1:33:8e:1a: 3b:12:ca:26:1e:f3:c9:44:d6:b5:9a:03:cb:14:f5: 82:6f:a8:7e:47:bc:e7:e0:b3:1f:c6:ff:84:54:2b: fd:b6:0d:e1:4f:c3:b7:6a:0f:98:99:c2:8a:b6:b8: 9d:f3:5d:36:f3:af:48:0f:7d:cd:5a:6c:a8:10:0c: 02:b2:0c:af:b3:d8:c3:b4:de:0e:b8:15:6d:4a:f0: 4e:67:7d:c2:3a:dd:03:f7:3d:80:69:63:2c:f9:97: fa:d3:4d:80:13:dd:24:ac:54:ad:f7:cc:25:94:41: fd:2d:e8:2a:8e:a8:91:96:89:d2:9f:0c:17:03:99: 11:f5:ce:2c:db:78:b7:09:75:d1:96:af:58:82:58: 62:86:63:01:16:68:fc:06:db:92:d0:c5:6d:9d:6d: fd:5d:13:b0:2b:37:2f:9c:ae:3b:e3:34:d6:42:7b: 12:01:93:da:ea:b4:c8:ba:9f:57:35:4f:6a:a1:95: c2:5f:40:9d:6b:c1:72:ec:91:9b:72:cc:6a:b8:9e: dc:08:f0:53:09:4f:d4:09:75:28:99:56:f5:66:be: 7d:ca:59:0e:9b:50:4d:be:98:04:20:4d:98:e6:5f: 58:c5 Exponent: 65537 (0x10001) X509v3 extensions: 1.3.6.1.4.1.311.20.2: ...C.A X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 1.3.6.1.4.1.311.21.1: ... Signature Algorithm: sha256WithRSAEncryption Signature Value: 6c:44:b8:33:b1:75:08:00:07:7f:2b:a4:80:f2:6a:ff:94:4c: ee:85:cc:61:db:49:59:19:cc:01:2f:c5:45:4b:d2:8d:dc:77: 54:7d:3c:34:75:28:c9:16:28:94:15:51:3d:e6:f7:dc:9b:d8: cd:63:bb:d3:ec:fc:ae:32:7e:cd:be:50:c2:9f:f7:91:de:9e: bb:44:d3:24:09:4d:dd:5f:67:ad:58:ad:7e:cc:9e:9f:8f:c8: 48:f5:d9:03:9a:a3:df:cd:e5:8a:e0:03:9e:36:f9:ba:fd:ff: 0b:a0:15:8c:66:9f:49:bc:e8:94:3e:61:7d:78:ff:48:66:d1: 13:54:1d:41:61:63:28:ba:d9:f8:6a:c4:df:48:16:d2:69:39: c0:38:ea:54:84:e0:40:17:d9:2c:43:58:be:e4:a1:5d:e2:6c: e9:23:55:b7:6e:61:8f:4e:72:4f:c2:d5:c4:7a:74:f5:8e:b3: 0e:2c:bc:5d:7d:ba:f8:ae:3b:f0:d6:b0:2e:1f:3f:fd:2d:77: 7d:52:bf:f7:07:ba:9d:64:60:57:1d:68:34:bb:cb:44:ac:dd: 55:c2:40:a1:98:84:b7:74:50:a4:50:95:0e:12:59:96:b9:af: bc:b3:09:e6:67:39:26:7e:b0:41:07:90:57:72:40:2a:11:7a: 2e:ac:be:b8
Step 6: Run command pki show certificate running://auth/certificates/scep/CSR/user/cert at DUT0 and check if output contains the following tokens:
Subject: CN = MyUserCertShow output
Certificate: Data: Version: 3 (0x2) Serial Number: 1c:00:01:03:52:10:38:3f:0e:52:9f:2f:ea:00:00:00:01:03:52 Signature Algorithm: sha256WithRSAEncryption Issuer: DC = com, DC = scep, CN = scep-TELDATPKI-CA Validity Not Before: Sep 5 13:42:38 2025 GMT Not After : Sep 5 17:42:38 2025 GMT Subject: CN = MyUserCert Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:86:42:5e:65:60:d6:d0:ab:78:09:da:53:0c:42: 3a:6d:6b:08:5d:67:b7:6d:a8:97:0f:ba:a1:2e:f2: aa:39:be:2f:4b:c9:5b:64:0a:54:f1:24:98:ae:52: 0d:4c:a8:6a:d3:b2:e8:a4:ef:16:92:40:09:d1:16: 69:93:3c:4a:a1:43:2c:67:97:a5:bb:fd:85:37:bd: 4d:af:db:8a:fe:94:f0:59:39:e7:44:81:1e:5f:f9: 34:91:3b:22:ed:74:e0:2f:b9:ab:21:9f:07:7c:0b: 6e:97:ea:39:33:47:33:af:05:fe:8b:50:a8:fe:ae: 6e:40:d7:f5:a4:48:2e:07:7b:85:32:19:d2:2b:7a: 71:cf:93:4a:74:22:3a:f6:15:e5:1f:b9:e7:7f:99: 02:18:b1:21:3f:09:07:a0:a6:d6:c0:4b:66:6c:53: 2d:2e:8a:03:0c:5d:da:29:33:b8:5a:ec:30:37:ed: 92:be:92:82:4c:9c:b2:09:d1:78:e9:cd:f2:e5:d0: 02:df:96:59:9b:d0:0c:ce:3c:7f:41:04:b2:ec:96: 56:ec:f8:1f:cb:20:9a:f3:c9:d9:eb:8d:39:e6:59: 48:0d:34:23:a1:8b:bf:96:53:88:ae:e2:e6:ff:f1: f1:e4:58:09:e7:54:74:4e:45:6e:89:49:e6:51:2b: 61:01 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F9:C2:3D:A7:B9:2A:A7:23:6B:BC:5B:0E:18:4D:66:A2:3D:72:DF:EE X509v3 Authority Key Identifier: AF:CF:34:AD:5B:BC:15:CF:9E:0B:FB:4A:ED:09:79:E0:01:68:5D:B8 X509v3 CRL Distribution Points: Full Name: URI:http://192.168.213.25/CertEnroll/scep-TELDATPKI-CA.crl Authority Information Access: CA Issuers - URI:ldap:///CN=scep-TELDATPKI-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=scep,DC=com?cACertificate?base?objectClass=certificationAuthority X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment 1.3.6.1.4.1.311.21.7: 0..&+.....7.....3......./...(...f<...[...]..d.. X509v3 Extended Key Usage: 1.3.6.1.4.1.311.20.1, Microsoft Encrypted File System, Code Signing, Any Extended Key Usage, TLS Web Server Authentication, Signing KDC Response, TLS Web Client Authentication, 1.3.6.1.4.1.311.21.5, 1.3.6.1.4.1.311.20.2.1, 1.3.6.1.5.5.8.2.2 1.3.6.1.4.1.311.21.10: 0y0...+.....7..0.. +.....7 ..0 ..+.......0...U.%.0 ..+.......0...+......0 ..+.......0...+.....7..0.. +.....7...0 ..+....... S/MIME Capabilities: 050...*.H.. ......0...*.H.. ......0...+....0 ..*.H.. .. Signature Algorithm: sha256WithRSAEncryption Signature Value: 81:10:0d:96:5b:27:64:11:46:d9:17:c8:ae:ee:e0:b3:48:64: f2:9f:4c:16:a8:f1:1c:ee:f7:b3:2a:da:1a:1e:50:5d:20:b7: f6:fe:6c:a2:cc:a5:a1:da:6c:9b:68:10:7f:7b:05:d2:9d:ab: 16:81:f4:d7:7d:12:a5:8c:91:b8:f2:9b:f1:41:47:4f:45:0a: 48:d1:29:6b:ba:0c:49:e4:e7:70:77:8a:0c:05:6e:a3:03:22: 1c:ed:81:06:3d:be:9a:5c:c6:7f:01:92:01:91:8e:e4:f3:32: 6e:a7:53:e3:ef:29:88:90:ff:d1:64:4d:5d:5f:3f:93:a6:48: 5c:93:57:df:c9:7a:03:9e:8e:82:7c:b1:24:77:bf:7e:3d:d0: a4:81:ec:14:68:3f:ad:da:63:bb:55:4a:0c:a2:39:ea:28:a9: 91:f4:4b:fc:54:39:4b:0a:d2:76:69:d1:50:ed:bd:94:03:c6: d4:08:75:92:20:1f:13:1b:50:38:62:22:9a:2b:9b:12:8e:9c: 57:75:19:63:0c:1b:1a:3c:a9:04:42:52:c0:2b:8b:6d:71:f3: 8e:a2:c5:7b:53:52:d9:fc:b5:59:24:09:91:18:81:3e:bb:f7: 5d:82:10:ac:ab:2d:10:ce:7e:87:65:f6:51:99:1f:0e:46:31: a0:32:30:e0