Configuring SCEP

To perform client certificate enrollments using SCEP protocol, the admin or a privileged user needs to first set up the SCEP server agent using the AppViewX portal. Upon successful set up of the SCEP server Agent through the portal, a URL will be generated. Clients can then use this URL to send enrollment requests to AppViewX via SCEP.

The detailed steps for setting up the SCEP server agent are listed below:

  1. Log in to AppViewX application with admin or privileged user credentials.
  2. Click the menu button located in the upper left corner of the screen.
    The left navigation pane appears.
  3. Navigate to CERT+ > ADMINISTRATION > Auto Enrollment > SCEP.
  4. Select Add or Configure Now.
  5. Configure the End Point Details details as follows:
    Prerequsistes for entering the IP/FQDN field:
    • The "Cloud Connector Name" (in the Add Cloud connector page) must be the same as the FQDN name entered.
    • The CC should have the reachability to the Endpoint.
    • If entering the IP the ensure that single cloud connector is used.
    The following table provides the field description for Agent Details section:
    Field Name Field Type Mandatory Description Validation
    Name Text Yes A unique name to identify the agent setting. No special characters other than ‘.’, ‘-’,’_’ are allowed. The name should not start with special characters.
    IP/FQDN Text Yes Enter the FQDN/IP address of the appviewx cloud connector. Invalid FQDN/IP address(example: xxx.xxx.xxx.xxx)
    Port Text Yes HTTP gateway port of the AppViewX node. Port will accept only numerical values between 0 to 65535.
    Challenge Password Text No A challenge token to be used while enrolling certificates. NA
  6. Configure the CA Accounts details as follows:
    The following table provides the field description for CA Accounts section:
    Field Name Field Type Mandatory Description Validation
    Certificate Group Select Yes Select a specific group under which certificate needs to be enrolled. NA
    Certificate Category Select Yes Select a specific certificate type (Server / Client) to be enrolled. NA
    Select CA Select Yes

    Select the required CA from the available options. The certificate will be enrolled under the selected CA.

    The CAs associated with the Default certificate group are:

    • AppViewX

    • Google

    • Ejbca

    • AppViewX PKIaaS

    • Microsoft Enterprise

    • Entrust MPKI

    • Entrust

    • Amazon Private CA

    • DigiCert

    • DigiCert MPKI

    • Nexus

    • Globalsign MSSL

    Note: The Vendor Specific Details section is displayed after the CA Accounts section only if Ejbca, Microsoft Enterprise, Entrust MPKI, or DigiCert is selected as the CA.
    		 NA
    CA Account Select Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
    Registration Authority Certificate. Select Yes

    Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

    Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

    		 NA
    CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. NA
    Certificate Validity Text Yes Validity of the certificate to be enrolled. Certificate validity accepts only numerical values.
    The following fields are displayed as per the selected CA:
    • When AppViewX is selected as CA,The following table provides the field description for AppViewX CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select the specific CA Account associated with the selected CA to be used for certificate creation operations. NA
      Certificate Profile Dropdown Yes Select the certificate profile. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. Based on this value, the CA connector name on the holistic view will be shown to all certificates issued through this SCEP agent. NA
      Certificate Validity Text Yes Validity of the certificate (in days) to be enrolled. This value is applicable for all the certificate issue through the SCEP agent. Certificate validity accepts only numerical values.
    • When Google is selected as CA,The following table provides the field description for Google CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select the specific CA Account associated with the selected CA to be used for certificate creation operations. NA
      Issuer Location Dropdown Yes Select the issuer location associated with the CA account. NA
      Pool Name Dropdown Yes Select a pool name to issue the certificate. NA
      Issuer Name Dropdown Yes Select an issuer name to issue the certificate. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. Based on this value, the CA connector name on the holistic view will be shown to all certificates issued through this SCEP agent. NA
      Certificate Validity Text Yes Validity of the certificate (in days) to be enrolled. This value is applicable for all the certificate issue through the SCEP agent. Certificate validity accepts only numerical values.
    • When Ejbca is selected as CA,The following table provides the field description for Ejbca CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select the specific CA Account associated with the selected CA to be used for certificate creation operations. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. Based on this value, the CA connector name on the holistic view will be shown to all certificates issued through this SCEP agent. NA
      Certificate Validity Text Yes Validity of the certificate (in days) to be enrolled. This value is applicable for all the certificate issue through the SCEP agent. Certificate validity accepts only numerical values.
      If the selected CA is Ejbca, a separate section Vendor specific details is displayed after the CA Accounts section.
      The following table provides the field description for Vendor specific details:
      Field Name Field Type Mandatory Description Validation
      End Entity Profile Name Dropdown Yes Select a profile of an end entity. NA
      End entity user name Text No Enter the user name for the end entity. Alphanumeric characters, spaces, and the special characters -_.* are allowed.
      Issuer Common Name Dropdown Yes Select a common name of an issuer. NA
      Certificate Profile Name Dropdown Yes Select a profile name of certificate. NA
    • When AppViewX PKIaaS is selected as CA,The following table provides the field description for AppViewX PKIaaS CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select the specific CA Account associated with the selected CA to be used for certificate creation operations. NA
      Issuer Location Dropdown Yes Select the issuer location associated with the CA account. NA
      Pool Name Dropdown Yes Select a pool name to issue the certificate. NA
      Issuer Name Dropdown Yes Select a issuer name to issue the certificate. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. No special characters are allowed. Only alphanumeric and space are allowed.
      Certificate Validity Text Yes Validity of the certificate to be enrolled. Certificate validity accepts only numerical values.
    • When Microsoft Enterprise is selected as CA,The following table provides the field description for Microsoft Enterprise CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select the specific CA Account associated with the selected CA to be used for certificate creation operations. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. Based on this value, the CA connector name on the holistic view will be shown to all certificates issued through this SCEP agent. NA
      Certificate Validity Text Yes Validity of the certificate (in days) to be enrolled. This value is applicable for all the certificate issue through the SCEP agent. Certificate validity accepts only numerical values.
      If the selected CA is Microsoft Enterprise, a separate section Vendor specific details is displayed after the CA Accounts section.Select a template from the dropdown list.
    • When Entrust MPKI is selected as CA,The following table provides the field description for Entrust MPKI CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select the specific CA Account associated with the selected CA to be used for certificate creation operations. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after certificate is being enrolled. Based on this value, the CA connector name on the holistic view will be shown to all certificates issued through this SCEP agent. NA
      Certificate Validity Text Yes Validity of the certificate (in days) to be enrolled. This value is applicable for all the certificate issue through the SCEP agent. Certificate validity accepts only numerical values.
      If the selected CA is Entrust MPKI, a separate section Vendor specific details is displayed after the CA Accounts section.
      Field Name Field Type Mandatory Description Validation
      CA Name Dropdown Yes Select a CA name from the dropdown list. NA
      Cert Profiles Dropdown Yes Select a cert profile from the dropdown list. NA
    • When Amazon Private CA is selected as CA.
      The following table provides the field description for Amazon Private CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Region Dropdown Yes

      Select a valid region associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Issuer Dropdown Yes

      Select a valid issuer associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Signature Algorithm Dropdown Yes

      Select a valid issuer associated with the CA account.

      The dropdown is populated with the first available value from the group's associated policy. Select an appropriate value as required.

      		 NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in years) Certificate validity accepts only numerical values.
    • When DigiCert CA is selected as CA.
      The following table provides the field description for DigiCert CA
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Division Dropdown Yes

      Select a division associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Certificate Type Dropdown Yes

      Select a valid cert type associated with the CA account.

      The dropdown is populated with the first available value. Select an appropriate value as required.

      		 NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      • If the Select CA =DigiCert, and the Certificate type = Server, a separate section Vendor Specific Details is displayed after the CA Accounts section with two fields.
        If the Select CA =DigiCert, and the Certificate type = Client, a separate section Vendor Specific Details is displayed after the CA Accounts section with one field.
        Field Name Field Type Mandatory Description Validation
        Server Type Dropdown Yes

        Select a server type.

        The dropdown is populated with the first available value. Select an appropriate value as required.

        		 NA
        Payment Method Dropdown Yes

        Select a payment method. The possible options are:

        1. Bill To Account Balance - Pay with the account balance. Returns an error if this option is disabled for the account or if the account has an insufficient fund.

        2. Bill To Default Credit Card - Pay with the account's default credit card. Returns an error if no default credit card is configured for the account

        		 Alphanumeric characters, spaces, and the special characters -_.* are allowed.
    • When Entrust is selected as CA.

      The following table provides the field description for Entrust CA:

      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Certificate Type Dropdown Yes

      Select a valid cert type associated with the CA account.

      • If the Certificate Category radiobutton is selected to Server, the dropdown is populated with the first available value. Select an appropriate value as required.
      • If the Certificate Category radiobutton is selected to Client, the dropdown is populated with ‘None’ as the default value.

      		 NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      If the selected CA is Entrust, a separate section displaying Vendor specific details and Custom Attributes is displayed after the CA Accounts section.
      Note: Based on the Entrust ECS account configuration Custom Attributes section may also be displayed as shown above.
      Field Name Field Type Mandatory Description Validation
      Additional Emails Text No Enter the valid email address in the field. NA
      Demo Text No Enter the demo details NA
      Certificate type Text No Enter a valid certificate type NA
      Tracking id Text No Enter the tracking id NA
    • When DigiCert MPKI is selected as CA
      The following table provides the field description for DigiCert MPKI:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Profiles Dropdown Yes Select a profile from the dropdown option. NA
      Registration Authority Certificate Browse Yes

      Add the chosen CA issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Text Yes Name of the CA connector after the certificate is enrolled. NA
      The Custom Attributes section is displayed on selecting the specific values from the Profile dropdown:
      Field Name Field Type Mandatory Description Validation
      common_name Text Yes This field will be auto-populated from the CSR. NA
      dnsName Text Yes Enter a valid DNS name. NA
      Note: Based on the DigiCert MPKI account configuration Custom Attributes section may also be displayed on the endpoint configuration page.
    • When Nexus is selected as CA
      The following table provides the field description for Nexus CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Select Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Registration Authority Certificate Select Yes

      Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Select Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Select Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      The following field is displayed in the Vendor Specific Details section as per the selected CA:
      Field Name Field Type Mandatory Description Validation
      Procedure Dropdown Yes Select the Procedure based on the configurations made in the Certificate Authority Setting. NA
    • When GlobalSignMSSL is selected as CA.
      The following table provides the field description for GlobalSignMSSL CA:
      Field Name Field Type Mandatory Description Validation
      CA Account Dropdown Yes Select a specific CA Account from the selected CA which is to be used for certificate creation operations. NA
      Product Type Dropdown Yes

      Select the specific Product Type.

      The values are fetched from the CA Settings configuration.

      		 NA
      Registration Authority Certificate Select Yes

      Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments.

      Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number.

      		 NA
      CA Connector Name Select Yes Name of the CA connector after the certificate is enrolled. NA
      Certificate Validity Dropdown Yes Validity of the certificate to be enrolled. (in days/months/years) Certificate validity accepts only numerical values.
      The following field is displayed in the Vendor Specific Details section as per the selected CA:
      Field Name Field Type Mandatory Description Validation
      Profile Dropdown Yes Select the Profile based on the configurations made in the Certificate Authority Setting. NA
      The following field is displayed in the Point of Contact section as per the selected CA. The CA mandates the point of contact information for traceability. All auto-enrollment requests via this endpoint will be registered with the point of contact information entered here.
      Field Name Field Type Mandatory Description Validation
      First Name Text Yes Enter the first name NA
      Email Address Text Yes Enter the valid email address NA
      Phone Number Text Yes Enter the valid phone number NA
  7. Configure the Advanced Settings details as follows:
    The following table provides the field description for Advance Settings section:
    Field Name Field Type Mandatory Description Validation
    *Include Truststore Certificates Radio button Yes Select whether the issuer certificate needs to be sent to client machines after enrolment.
    *Fetch Certificate Parameters Radio button Yes

    Select Yes or No

    Setting the radio button to Yes, will enable the system to automatically fetch certificate parameters from a Suggestive Policy, and append them to the client CSRs.
    *Retry Count Text Yes

    Values accepted between 5 - 99.

    Based on this value, the EST agent will trigger the number of calls to collect the certificate from AppViewX until it is received.
    *Retry Frequency Text Yes

    Values accepted between 10 - 99.

    The value specified in this field determines the duration taken between the trigger calls by the EST agent.
    *Certificate Poll Type Radio button Yes

    Select Issuer and Subject or Transaction ID.

    The client agent will use this field to poll the issued certificate from the agent to the subsystem certificate plugin.
  8. Click Save.