Simple Certificate Enrollment Protocol Module

Generate and issue certificates using the SCEP protocol.

What does it do?

This module implements a Simple Certificate Enrollment Protocol endpoint that is capable of signing and issuing certificates on behalf of a suitable client.

Based on configuration, parameters can be passed from the incoming certificate sign request embedded within the SCEP request, or explicit expressions, and a new certificate sign request with acceptable parameters is passed to suitably configured backend modules for request authorisation, certificate signing and issuing, and certificate storage.

The following SCEP operations are supported:

GetCACaps SCEP CA capabilities.
GetCACert Return the CA certificate and RA certificate for this CA.
GetNextCACert Return the next CA certificate that will be used for future signing.
PKIOperation PKCSReq Request a certificate via a certificate sign request.
PKIOperation CertPoll (GetCertInitial) Poll for a certificate that was previously requested.
PKIOperation GetCert Request a copy of a previously issued certificate.

This module can be configured to respond to SCEP client requests as implemented by iOS and MacOS.

Module Integration

The mod_scep module is a frontend module and will not do anything useful until mod_scep has been combined with one or more backend modules listed below. The mod_scep module uses the following hooks to authorise, sign/issue and store a certificate, and suitable backend modules must be configured to implement each hook as needed.

All frontend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.

Request Authorization Hook

This optional hook allows you to verify the parameters included with the certificate sign request, such as the challenge password. If left unconfigured, all certificate requests will be accepted.

mod_ca_ldap Allows the certificate sign request to be verified against an LDAP directory.

Sign Request Hook

This hooks signs the certificate sign request and returns the issued certificate. The hook is mandatory, and the request will be rejected if left unconfigured.

mod_ca_disk Allows certificate sign requests to be saved to disk for later out of band processing. The response will redirect the caller to where the certificate can be collected.
mod_ca_engine Allows certificate sign requests to be signed by an HSM such as a smartcard.
mod_ca_simple Allows certificate sign requests to be signed by a certificate and key specified on disk.

Certificate Storage Hook

This optional hook allows the newly generated certificate to be stored locally or in a database or directory. If left unconfigured, no local copy of the certificate will be stored.

mod_ca_ldap Saves the newly issued PKCS7 certificate and chain to an LDAP directory.

Get Certificate Hook

This hook returns certificates that were requested previously and generated at a possibly later date or time.

mod_ca_disk Returns a certificate from a location on disk.

Get CA Certificate Hook

This hook returns CA certificates for the given CA.

mod_ca_engine Returns CA certificates that would sign certificate sign requests by an HSM such as a smartcard.
mod_ca_simple Returns CA certificates that would sign certificate sign requests by a certificate and key specified on disk.

Get Next CA Certificate Hook

This hook returns certificates that were requested previously and generated at a possibly later date or time.

mod_ca_engine Returns the upcoming next CA certificates that would sign certificate sign requests by an HSM such as a smartcard.
mod_ca_simple Returns the upcoming next CA certificates that would sign certificate sign requests by a certificate and key specified on disk.

Examples

Basic Example

The simplest case: issue a certificate to anybody who wants one.

                  
# backend configuration:
<IfModule mod_ca_simple.c>
  # sign with this certificate...
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CASimpleKey /etc/pki/tls/ca-key.pem
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>

# frontend configuration:
<IfModule mod_scep.c>
  <Location /scep>
    SetHandler scep
    # use subject from the certificate sign request unmodified
    ScepSubjectRequest *
  </Location>
</IfModule>

                

Logged In Example

A more typical scenario: issue a certificate to a logged in user.

In this example it is assumed that Apache configuration exists that authenticates a user against a database, directory, a token, or a previous certificate.

                  
# backend configuration:
<IfModule mod_ca_simple.c>
  # sign with this certificate...
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CASimpleKey /etc/pki/tls/ca-key.pem
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>

# frontend configuration:
<IfModule mod_scep.c>
  <Location /scep>
    SetHandler scep
    # standard Apache authorisation
    Require valid-user
    # set the common name to the logged in username
    ScepSubjectSet CN %{REMOTE_USER}
    # set a fixed OU field in the subject
    ScepSubjectSet OU "Terms and Conditions Apply"
  </Location>
</IfModule>

                

Handler Reference

The following parameters to the SetHandler directive are supported.

scep Handler

After calling the request authorization hook, the sign request hook, and the certificate storage hook, issue and return the certificate using the SCEP protocol.

SetHandler scep

Directive Reference

ScepCRLURL Directive

Description GetCRL will be redirected to this URL.
Syntax ScepCRLURL url
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

If set, attempts at GetCRL will be redirected to this URL. GetCRL will be rejected with 400 Bad Request otherwise.

ScepFreshness Directive

Description The max-age of the certificates will be divided by this factor.
Syntax ScepFreshness factor [max-seconds]
Default ScepFreshness 2 86400
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

The age of the certificates will be divided by this factor when added as a max-age, set to zero to disable. Defaults to "2". An optional maximum value can be specified, defaults to one day.

ScepLocation Directive

Description Set the URL location of the WADL returned by the OPTIONS method.
Syntax ScepLocation url
Default ScepLocation [current-URL]
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the URL location of the WADL returned by the OPTIONS method.

ScepRACertificate Directive

Description Set to the name of the signing certificate.
Syntax ScepRACertificate filename
Default none
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of the signing certificate.

ScepRAKey Directive

Description Set to the name of the signing key.
Syntax ScepRAKey filename
Default none
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of the signing key.

ScepRANextCertificate Directive

Description Set to the name of the next RA signing certificate.
Syntax ScepRANextCertificate filename
Default none
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the name of the next RA signing certificate.

ScepSize Directive

Description Set to the maximum size of the SCEP request from the client.
Syntax ScepSize bytes
Default ScepSize 131072
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the maximum size of the SCEP request from the client. This value cannot be smaller than 4096 bytes.

ScepSubjectAltNameRequest Directive

Description Specify fields in the certificate request subject alternative name that will be copied over to the certificate.
Syntax ScepSubjectAltNameRequest field [number]
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify fields in the certificate request subject alternative name that will be copied over to the certificate, with optional limit to the number of fields that may appear.

If a wildcard is used, all fields in the certificate request subject alternative name will be copied across unmodified.

Field names are limited to otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress, or registeredID and are described in the Subjects and Subject Alternative Names section.

ScepSubjectAltNameSet Directive

Description Specify an expression that will be included in the certificate subject alternative name.
Syntax ScepSubjectAltNameSet field value
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify an expression that will be included in the certificate subject alternative name.

Field names are limited to otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress, or registeredID and are described in the Subjects and Subject Alternative Names section.

ScepSubjectRequest Directive

Description Specify fields in the certificate request subject that will be copied over to the certificate.
Syntax ScepSubjectRequest field [number]
Default ScepSubjectRequest field 1
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify fields in the certificate request subject that will be copied over to the certificate, with optional limit to the number of fields that may appear.

If a wildcard is used, all fields in the certificate request subject alternative name will be copied across unmodified.

Subject handling is covered in detail in the Subjects and Subject Alternative Names section.

ScepSubjectSet Directive

Description Specify an expression that will be included in the certificate subject.
Syntax ScepSubjectSet field value
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_scep
Compatibility Introduced in mod_scep 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify an expression that will be included in the certificate subject. Subject attribute name is configured first, then the expression.

Subject handling is covered in detail in the Subjects and Subject Alternative Names section.