Using SCEP to Configure On-Demand and Automatic Reenrollment
SCEP is for securely issuing and revoking digital certificates in a simple, scalable manner on network devices. The SteelHead uses SCEP to configure on-demand enrollment and automatic reenrollment of SSL peering certificates.
Currently, the SteelHead can only enroll peering certificates.
This section describes how to configure on-demand and automatic reenrollment of SSL peering certificates.
The following table summarizes the SCEP commands.
SCEP Commands | Parameters | | Definition |
secure-peering scep auto-reenroll | enable | | Enables automatic reenrollment of a certificate to be signed by a CA. |
exp-threshold <num of days> | | Specify the amount of time (in days) to schedule reenrollment before the certificate expires. |
last-result clear-alarm | | Clears the automatic reenrollment last-result alarm. The last result is the last completed enrollment attempt. |
secure-peering scep max-num-polls | <max number polls> | | Specify the maximum number of polls before the SteelHead cancels the enrollment. The peering certificate is not modified. The default value is 5. A poll is a request to the server for an enrolled certificate by the SteelHead. The SteelHead polls only if the server responds with pending. If the server responds with fail, then the SteelHead does not poll. |
secure-peering scep on-demand cancel | None | | Cancels any active on-demand enrollment. |
secure-peering scep on-demand gen-key-and-csr | rsa | | Generates a new private key and CSR for on-demand enrollment using the Rivest-Shamir-Adleman algorithm. |
state <string> | Specify the state. No abbreviations allowed. |
org-unit <string> | Specify the organizational unit (for example, the department). |
org <string> | Specify the organization name (for example, the company). |
locality <string> | Specify the city. |
email <email addr> | Specify an email address of the contact person. |
country <string> | Specify the country (two-letter code only). |
common-name <string> | Specify the hostname of the peer. |
key-size <512 | 1024 | 2048> | Specify the key size in bits (for example, 512, 1024, 2048). |
secure-peering scep on-demand start | | | Starts an on-demand enrollment (in the background by default). |
foreground | | Starts an on-demand enrollment in the foreground. |
secure-peering scep passphrase | <pass phrase> | | Specify the challenge password phrase. |
secure-peering scep poll-frequency | <minutes> | | Specify the poll frequency in minutes. The default value is 5. |
secure-peering scep trust | peering-ca <peer ca> | | Specify the name of the existing peering CA. |
secure-peering scep url | <url> | | Specify the URL of the SCEP responder. Use the following format: http://host[:port/path/to/service]. |
Configuring On-Demand Enrollment
The following example configures the most common on-demand enrollment SCEP settings.
You can only perform one enrollment of a certificate at a time. You must stop enrollment before you begin the enrollment process for another certificate.
To configure on-demand enrollment of certificates
To configure SCEP settings, connect to the SteelHead CLI and enter the following commands:
enable
configure terminal
secure-peering scep url <http://host[:port/path/to/service>
secure-peering scep trust peering-ca < name of a peering CA >
secure-peering scep poll-frequency 10
secure-peering scep max-num-polls 6
secure-peering scep passphrase “device unique passphrase”
To perform an on-demand enrollment you must first generate a new key and Certificate Signing Request (CSR), at the system prompt enter the command:
secure-peering scep on-demand gen-key-and-csr rsa 1048 country us org mycompany org-unit
engineering
To display the CSR (including the fingerprint), at the system prompt enter the command:
show secure-peering scep peering on-demand csr
To start an on-demand enrollment, at the system prompt enter the command:
secure-peering scep on-demand start
To view current status and the result of the last attempt (since boot), at the system prompt enter the following commands:
show secure-peering scep enrollment status
show secure-peering scep on-demand last-result
To stop enrollment, at the system prompt enter the following commands:
secure-peering scep on-demand cancel
show secure-peering scep on-demand last-result
You must stop enrollment before you can begin the enrollment process for another certificate.
Configuring Automatic Reenrollment
The following example configures the most common automatic reenrollment SCEP settings.
To configure automatic reenrollment of certificates
To configure SCEP settings, connect to the SteelHead CLI and enter the following commands:
enable
configure terminal
secure-peering scep url http://entrust-connector/cgi-bin/pkiclient.exe
secure-peering scep trust peering-ca <name-of-a-peering-CA>
secure-peering scep poll-frequency 10
secure-peering scep max-num-polls 6
secure-peering scep passphrase “device unique passphrase”
To configure automatic reenrollment, at the system prompt enter the following commands:
secure-peering scep auto-reenroll exp-threshold 30
secure-peering scep auto-reenroll enable
To view current automatic reenrollment settings, at the system prompt enter the following commands:
show secure-peering scep peering auto-reenroll csr
show secure-peering scep peering on-demand last-result
Viewing SCEP Settings and Alarms
This section describes how view SCEP settings and alarms.
The following table summarizes the commands for SCEP settings.
Command | Parameters | Definition |
show secure-peering scep | None | Displays SCEP information. |
show secure-peering scep auto-reenroll | csr | Displays the automatic reenrollment CSR. |
last-result | Displays the result of the last completed automatic reenrollment. |
show secure-peering scep ca | <ca name> certificate | Displays a specified SCEP peering CA certificate. |
show secure-peering scep enrollment status | None | Displays enrollment status information. |
show secure-peering scep on-demand | csr | Displays on-demand enrollment information. |
last-result | Displays result of the last completed on-demand enrollment. |
An SCEP alarm is triggered when the SteelHead requests an SCEP server to dynamically reenroll an SSL peering certificate and the request fails. The SteelHead uses SCEP to dynamically reenroll a peering certificate to be signed by a certificate authority. The alarm clears automatically when the next automatic reenrollment succeeds.
To view SCEP alarm status
Connect to the SteelHead CLI and enter enable mode.
Enter the following the command:
show stats alarm ssl_peer_scep_auto_reenroll
Alarm ssl_peer_scep_auto_reenroll:
Enabled: yes
Alarm state: ok
Rising error threshold: no
Rising clear threshold: no
Falling error threshold: no
Falling clear threshold: no
Rate limit bucket counts: { 5, 20, 50 }
Rate limit bucket windows: { 3600, 86400, 604800 }
Last checked at: 2009/07/30 17:43:07
Last checked value: true
Last event at:
Last rising error at:
Last rising clear at:
Last falling error at:
Last falling clear at:
To clear the SCEP alarm
Connect to the SteelHead CLI and enter configuration mode.
Enter the following the command:
secure-peering scep auto-reenroll last-result clear-alarm