SCEP Server¶
The communication with your scep clients requires the deployment of a cgi wrapper script with your webserver. The script will parse the HTTP related parts and pass the data to the openxpki daemon and vice versa.
Decommission and Upgrade Notice¶
With v3.26 the old SCEP wrappers based on a dedicated service layer are
no longer supported. You need to remove the service related items from
system.server.service
, system.crypto.tokenapi
and point the
/scep
alias rules in the apache wrapper to the scepv3.fcgi
script.
You also need to update the wrapper configurations in the
/etc/openxpki/scep
folder and the workflow configurations in the
realms.
Wrapper Configuration¶
The default wrapper looks for its config file at /etc/openxpki/scep/default.conf
.
The config uses plain ini format, a default is deployed by the package:
[global]
socket=/var/openxpki/openxpki.socket
realm=democa
servername=generic
[logger]
# A loglevel of DEBUG MIGHT disclose sensitive user input data
# A loglevel of TRACE WILL dump any communication unfiltered
log_level = INFO
[auth]
stack=_System
# OpenXPKI supports mapping additional URL Parameters to the workflow
# Those must be whitelisted here for security reasons
[PKIOperation]
param = signature
Config Path Expansion¶
Is supported by the SCEP wrapper, the service name is scep
. See the
common wrapper documentation (Wrapper Configuration) for details.
Caveats¶
The scep standard is not exact about the use of HTTP/1.1 features. We saw a lot of clients which where sending plain HTTP/1.0 requests which is not compatible with name based virtual hosting!
Please do NOT use SCEP over HTTPS, SCEP transport is protected on the application layer by default.