Scep enrollment using EJBCA in mac endpoints

[mostwanted5]

Hi Team,

I have been using the EJBCA Community Edition and have been experimenting with its settings and certificate generation. I am currently working on implementing the EAP-TLS authentication method in our Wi-Fi environment. To achieve this, I have set up a RADIUS server using FreeRADIUS. I am now exploring options to automatically generate certificates for my macOS machines using SCEP. My question is, is it possible to implement this using the EJBCA PKI? Could you guys please help me with this?

[primetomas]

Yes you can use SCEP for MacOS machines.
You can find a lot of documentation on SCEP here: https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/protocols/scep

[mostwanted5]

Hi @primetomas,
I studied the documentation and created a SCEP profile on macOS. However, when I try to install it, there is an error stating that it couldn't connect to the URL. Can you help me identify and resolve the issue?

[primetomas]

Only if there are obvious error messages you can post here.
I don't own a Mac myself.

[mostwanted5]

HI @primetomas,
Thank you for responding,

This is what I've done:

1. First, I configured the SCEP alias in the GUI.
2. Created a SCEP payload using the server link http://host:PORT/ejbca/publicweb/apply/scep/pkiclient.exe.
3. When I tried to install the profile, it showed "Unable to contact the SCEP server."

Are these steps correct? Is there anything else that needs to be done to configure SCEP?

[primetomas]

The URL there looks broken. Port 443 is for HTTPS, and it is used for plain http. Since SCEP don't need https, I think the url should be just http://192.168.12.209/ejbca/

[mostwanted5]

@primetomas

The same error still persists. When I attempted this on the web, I received the error message: "Got request missing parameters; Parameters 'operation' and 'message' must be supplied.

this is the log I'm getting when installing the scep profile;

{"log":"2023-11-15 15:42:06,783+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-6) Received a SCEP message from 192.168.17.2.\r\n","stream":"stdout","time":"2023-11-15T15:42:06.784335256Z"}
{"log":"2023-11-15 15:42:06,799+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-6) SCEP cert request for unknown CA ''.: The SCEP alias new is in CA mode, the message parameter in the GET request is empty, and no default CA has been defined for SCEP. Either switch to RA mode, provide the name of the CA in the message, or specify the default CA using the scep.defaultca property.\r\n","stream":"stdout","time":"2023-11-15T15:42:06.799978919Z"}
{"log":"2023-11-15 15:42:06,951+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-6) Received a SCEP message from 192.168.12.2.\r\n","stream":"stdout","time":"2023-11-15T15:42:06.951950428Z"}
{"log":"2023-11-15 15:42:06,954+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-6) SCEP cert request for unknown CA ''.: The SCEP alias new is in CA mode, the message parameter in the GET request is empty, and no default CA has been defined for SCEP. Either switch to RA mode, provide the name of the CA in the message, or specify the default CA using the scep.defaultca property.\r\n","stream":"stdout","time":"2023-11-15T15:42:06.954578585Z"}
{"log":"2023-11-15 15:42:07,073+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-6) Received a SCEP message from 192.168.17.2.\r\n","stream":"stdout","time":"2023-11-15T15:42:07.074787289Z"}
{"log":"2023-11-15 15:42:07,081+0000 INFO [org.cesecore.certificates.ca.CaSessionBean] (default task-6) CA with name RetryCAIdent does not exist.\r\n","stream":"stdout","time":"2023-11-15T15:42:07.082913829Z"}
{"log":"2023-11-15 15:42:07,083+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-6) SCEP GetCACert request for unknown CA 'RetryCAIdent'.\r\n","stream":"stdout","time":"2023-11-15T15:42:07.083722299Z"}

[primetomas]

If you read the message;
SCEP cert request for unknown CA ''.: The SCEP alias new is in CA mode, the message parameter in the GET request is empty, and no default CA has been defined for SCEP. Either switch to RA mode, provide the name of the CA in the message, or specify the default CA using the scep.defaultca

While I'm not familiar with Mac setting. There should be a way to specifiy the CA Identifier it should use for enrollment. Then it should pass that parameter.

A fallback solution is to set "scep.defaultca" to a CA name in conf/ejbca.properties. This is one value which is not configurable in the UI, must be because it has not been needed. And MaxOS's have been enrolled before, so it should be a setting in the SCEP profile.

[primetomas]

In an old iOS configuration guide I have there is a "Name" fields, CA-IDENT, where you should put the name of the CA to enroll against.

[mostwanted5]

@primetomas
Yes, I changed the configuration of ejbca by adding the default.ca and included the name of the CA in the SCEP payload on my Mac. However, I am encountering another issue stating that "no password in request and the "user does not exist". Upon inspection in the interface, I observed that there is no option to create a user in CA mode. This feature is only available for enterprise mode.

{"log":"2023-11-17 07:32:42,255+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-1) Received a SCEP message from 192.168.20.23.\r\n","stream":"stdout","time":"2023-11-17T07:32:42.255900226Z"}
{"log":"2023-11-17 07:32:42,329+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-1) Received a SCEP message from 192.168.20.23.\r\n","stream":"stdout","time":"2023-11-17T07:32:42.330139005Z"}
{"log":"2023-11-17 07:32:42,332+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-1) Sent a SCEP GetCACert response to 192.168.20.23.\r\n","stream":"stdout","time":"2023-11-17T07:32:42.33272335Z"}
{"log":"2023-11-17 07:32:43,953+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-1) Received a SCEP message from 192.168.20.23.\r\n","stream":"stdout","time":"2023-11-17T07:32:43.954195621Z"}
{"log":"2023-11-17 07:32:44,019+0000 INFO [org.ejbca.ui.web.protocol.ScepServlet] (default task-1) Error processing SCEP request.: org.cesecore.certificates.ca.SignRequestException: No password in request.\r\n","stream":"stdout","time":"2023-11-17T07:32:44.021689044Z"}

[primetomas]

The work-flow of CA mode is that you add an end entity in EJBCA, where the request then is matched to this end entity from the CN (or how you configure your SCEP alias). This is for security reasons, as these devices that enroll are untruster, you can not allow then to create certiifcates with their own requested content. Therefor you (as an admin) specify the content in the end entity that you pre-register.
There should be a "challenge" field in the SCEP profile were you define the enrollment code (password) of the end entity you create. This authenticates the request, and works (by default) as a one-time enrollment code so that no other device can enroll for the same end entity.