SSCEP - Simple SCEP client for Unix

Copyright (c) Jarkko Turkulainen 2003. All rights reserved.

See the file COPYING for licensing information.

WHAT IS SSCEP?

SSCEP is a client-only implementation of the SCEP (Cisco System's Simple Certificate Enrollment Protocol). SSCEP is designed for OpenBSD's isakmpd, but it will probably work with any Unix system with a recent compiler and OpenSSL toolkit libraries installed.

WHAT SCEP?

(From the Cisco Systems White Paper):

SCEP is a PKI communication protocol which leverages existing technology by using PKCS#7 and PKCS#10. SCEP is the evolution of the enrollment protocol developed by Verisign, Inc. for Cisco Systems, Inc. It now enjoys wide support in both client and CA implementations.

The goal of SCEP is to support the secure issuance of certificates to network devices in a scalable manner, using existing technology whenever possible. The protocol supports the following operations:

• CA and RA public key distribution
• Certificate enrollment
• Certificate and CRL query

Certificate and CRL access can be achieved by using the LDAP protocol, or by using the query messages defined in SCEP.

SSCEP FEATURES

Currently, SSCEP implements:

• All of the SCEP operations using SCEP query messages
• HTTP/1.1 queries via IPv4 or IPv6
• Integration with OpenSSL cryptographic engines

There's no LDAP support, and probably there will never be (that's why it is simple).

SSCEP has been tested successfully against the following CA products:

• OpenXPKI (getcaps, getca, enroll and automatic approval works)
• OpenSCEP server (getca, enroll and getcrl works)*
• Windows2000 server CA + Microsoft SCEP module (works)
• SSH Certifier (getca and enroll works)
• iPlanet CMS (getca and enroll works)*
• VeriSign Onsite (getca and enroll works)**
• Entrust VPN Connect (getca and enroll works)***
• OpenCA (getca, enroll, getcrl and automatic approval works)

(*) by default, subjectAltName extensions are dropped from certificate

(**) only DNS subjectAltName allowed (demo mode)

(***) demo requires to use /C=US/O=Entrust

HOW TO COMPILE

The program should compile on the following systems:

• Linux
• OpenBSD
• AIX
• Darwin (PowerPC, no universal binaries yet)
• Tandem NonStop (Guardian), OSS environment, MIPS processor
• z/OS (USS environment)
• Solaris
• Windows

In general, two build systems are supported:

• GNU Autotools (autoconf, automake, libtool)
• CMake

Prerequisites:

• pkg-config
• OpenSSL libcrypto library
  • sscep 0.3.0 - 0.6.1 works with openssl 0.9.7 - 1.0.2
  • sscep 0.7.0 - 0.9.1 works with openssl 0.9.7 - 1.1.1
  • sscep 0.10.0 works with openssl 1.1.0 - 3.0.0

On Ubuntu you may use:

sudo apt-get install autoconf automake libtool pkg-config libssl-dev

Unix:

To compile run: $ make

To generate the configure script when checking out from github source:

$ ./bootstrap.sh

To compile from a tarball created with 'make dist'

$ ./configure
$ make
$ make install

To build an RPM package from the tarball do

cp sscep-*.tar.gz ~/rpmbuild/SOURCES
rpmbuild -ba scripts/sscep.spec

Windows:

1. Download and install:

   • Microsoft Visual Studio (e.g. the Community Edition) from https://visualstudio.microsoft.com/downloads
   • CMake from https://cmake.org/download
   • Win32/Win64 OpenSSL from http://slproweb.com/products/Win32OpenSSL.html

2. Start the CMake GUI, select Where is the source code and Where to put the binaries (it could be the same), then Configure and Generate the project files.

3. Start the Visual Studio, open the generated Solution (sscep.sln) and build the project. Then copy the sscep binary (Debug or Release) and configuration file sscep.conf somewhere.

macOS:

Install a few packages from Homebrew:

$ brew install autoconf automake libtool pkg-config openssl

To generate the configure script when checking out from github source:

$ glibtoolize
$ aclocal
$ automake -a -c -f
$ autoreconf

Set PKG_CONFIG_PATH and then the usual will work:

$ export PKG_CONFIG_PATH="/usr/local/opt/openssl@1.1/lib/pkgconfig"
$ ./configure
$ make
$ make install

HOW TO USE

Running the command "sscep" without any arguments should give you a list of arguments and command line options.

$ ./sscep

sscep version 0.10.x

Usage: ./sscep OPERATION [OPTIONS]

Available OPERATIONs are
  getca             Get CA/RA certificate(s)
  enroll            Enroll certificate
  getcert           Query certificate
  getcrl            Query CRL
  getcaps           Query SCEP capabilities

General OPTIONS
  -u <url>          SCEP server URL
  -p <host:port>    Use proxy server at host:port
  -g <engine>       Use the given cryptographic engine
  -f <file>         Use configuration file
  -c <file>         CA certificate file or '-n' suffixed files (write if OPERATION is getca)
  -E <name>         PKCS#7 encryption algorithm (des|3des|blowfish|aes[128]|aes192|aes256)
  -S <name>         PKCS#7 signature algorithm (md5|sha1|sha224|sha256|sha384|sha512)
  -W <secs>         Wait for connectivity, up to <secs> seconds
  -v                Verbose output (for debugging the configuration)
  -d                Debug output (more verbose, for debugging the implementation)

OPTIONS for OPERATION getca are
  -i <string>       CA identifier string
  -F <name>         Fingerprint algorithm (md5|sha1|sha224|sha256|sha384|sha512)

OPTIONS for OPERATION enroll are
  -k <file>         Private key file
  -r <file>         Certificate request file
  -K <file>         Signature private key file, use with -O
  -O <file>         Signature certificate (used instead of self-signed)
  -l <file>         Write enrolled certificate in file
  -e <file>         Use different CA cert for encryption
  -L <file>         Write selfsigned certificate in file
  -t <secs>         Polling interval in seconds
  -T <secs>         Max polling time in seconds
  -n <count>        Max number of GetCertInitial requests
  -R                Resume interrupted enrollment

OPTIONS for OPERATION getcert are
  -k <file>         Signature private key file
  -l <file>         Signature local certificate file
  -O <file>         Issuer Certificate of the certificate to query (requires -s)
  -s <number>       Certificate serial number (decimal)
  -w <file>         Write certificate in file

OPTIONS for OPERATION getcrl are
  -k <file>         Signature private key file
  -l <file>         Signature local certificate file
  -O <file>         Certificate to get the CRL for (reads issuer and serial)
  -s <number>       Certificate serial number (decimal)
  -w <file>         Write CRL in file

SSCEP also supports configuration via a configuration file (-f). This is the recommended way to configure SSCEP and all the examples in below assume that you have done so.

All configuration options are key-value pairs separated with the equal sign and grouped into sections:

[section]
Key = Value

Quotation marks are optional - they are needed only if the value contains space characters (space or tab). Quotation marks inside the value string must be escaped using a backslash:

Key = "Value \"containing quotation marks\""

Comment lines (lines starting with '#') and empty lines are discarded.

Here are the available configuration file keys and example values:

| Key | Explanation | Example | Command options | |-------|-------------------|---------|---------| | URL | URL of the SCEP server. | http://example.com/scep | -u | | CACertFile | Single CA certificate file, or multiple CA certificates suffixed with -0, -1, ... to write (getca) or to choose from (all other operations). | ./ca.crt |-c | | CAIdentifier | Some CAs require you to define this. | mydomain.com | -i | | CertReqFile | Certificate request file created with mkrequest. | ./local.csr | -r | | EncAlgorithm | PKCS#7 encryption algorithm. Available algorithms are des, 3des, blowfish, aes/aes128, aes192 and aes256. NOTE: SCEP provides no mechanism to "negotiate" the algorithm - even if you send 3des, reply might be des (same thing applies to SigAlgorithm). | | -E | | EncCertFile | If your CA/RA uses a different certificate for encyption and signing, define this. CACertFile is used for verifying the signature. | ./enc.crt | -e | | SignCertFile | Instead of creating a self-signed certificate from the new key pair use an already existing certficate/key to sign the SCEP request. If the "old" certificate and key is used, the CA can verify that the holder of the private key for an existing certificate re-enrolls for a renewal certificate, allowing for automatic approval of the request. Requires specification of the corresponding SignKeyFile (-K). | ./sig.crt | -O | | SignKeyFile | See SignCertFile. Specifies the corresponding private key. | ./sig.key | -K | | FingerPrint | Display fingerprint algorithm. Available algorithms are md5, sha1, sha224, sha256, sha384 and sha512. Default is the best from getcacaps, or md5. || -F | | GetCertFile | Write certificate asquired via getcert operation. | ./cert.crt | -w | | GetCertSerial | Certificate serial number. Define this for getcert. The value is defined as a decimal number. | 12 | -s | | GetCrlFile | Write CRL to file. | ./crl.crl | -w | | LocalCertFile | Write successfully enrolled certificate. | ./local.crt | -l | | MaxPollCount | Max number of GetCertInitial requests. | 50 | -n | | MaxPollTime | Max polling time in seconds. | 28800 | -T | | PollInterval | Poll periodically for pending certificate. | 60 | -t | | PrivateKeyFile | Private key created with mkrequest. | ./local.key | -k | | Proxy | Use HTTP proxy at host:port. | localhost:8080 | -p | | SelfSignedFile | Write optionally the selfsigned certificate in file (needed in SCEP transaction). | `./selfsign