The communication with your scep clients requires the deployment of a cgi wrapper script with your webserver. The script will parse the HTTP related parts and pass the data to the openxpki daemon and vice versa.
Decommission and Upgrade Notice¶
With v3.26 the old SCEP wrappers based on a dedicated service layer are
no longer supported. You need to remove the service related items from
system.crypto.tokenapi and point the
/scep alias rules in the apache wrapper to the
You also need to update the wrapper configurations in the
/etc/openxpki/scep folder and the workflow configurations in the
The default wrapper looks for its config file at
The config uses plain ini format, a default is deployed by the package:
[global] socket=/var/openxpki/openxpki.socket realm=democa servername=generic [logger] # A loglevel of DEBUG MIGHT disclose sensitive user input data # A loglevel of TRACE WILL dump any communication unfiltered log_level = INFO [auth] stack=_System # OpenXPKI supports mapping additional URL Parameters to the workflow # Those must be whitelisted here for security reasons [PKIOperation] param = signature
The scep standard is not exact about the use of HTTP/1.1 features. We saw a lot of clients which where sending plain HTTP/1.0 requests which is not compatible with name based virtual hosting!
Please do NOT use SCEP over HTTPS, SCEP transport is protected on the application layer by default.