Internet DRAFT - draft-nourse-scep
draft-nourse-scep
Internet Engineering Task Force M. Pritikin, Ed.
Internet-Draft A. Nourse
Intended status: Historic J. Vilhuber
Expires: March 10, 2012 Cisco Systems, Inc
September 7, 2011
Simple Certificate Enrollment Protocol
draft-nourse-scep-23
Abstract
This document specifies the Simple Certificate Enrollment Protocol
(SCEP), a Public Key Infrastructure (PKI) communication protocol
which leverages existing technology by using PKCS#7 and PKCS#10 over
HTTP. SCEP is the evolution of the enrollment protocol developed by
VeriSign, Inc. for Cisco Systems, Inc. It now enjoys wide support in
both client and a Certification Authority implementations.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 10, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Pritikin, et al. Expires March 10, 2012 [Page 1]
�
Internet-Draft SCEP September 2011
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 6
2. SCEP Overview . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. SCEP Entities . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1. Requester . . . . . . . . . . . . . . . . . . . . . . 6
2.1.2. Certification Authority . . . . . . . . . . . . . . . 7
2.1.3. Registration Authority . . . . . . . . . . . . . . . . 8
2.2. Requester authentication . . . . . . . . . . . . . . . . . 8
2.3. Enrollment authorization . . . . . . . . . . . . . . . . . 9
2.4. CA/RA Certificate Distribution . . . . . . . . . . . . . . 11
2.5. Certificate Enrollment . . . . . . . . . . . . . . . . . . 11
2.5.1. Client State Transitions . . . . . . . . . . . . . . . 12
2.6. Certificate Access . . . . . . . . . . . . . . . . . . . . 14
2.7. CRL Access . . . . . . . . . . . . . . . . . . . . . . . . 14
2.8. Certificate Revocation . . . . . . . . . . . . . . . . . . 15
3. SCEP Secure Message Objects . . . . . . . . . . . . . . . . . 16
3.1. SCEP pkiMessage . . . . . . . . . . . . . . . . . . . . . 17
3.1.1. Signed Transaction Attributes . . . . . . . . . . . . 18
3.1.1.1. transactionID . . . . . . . . . . . . . . . . . . 18
3.1.1.2. messageType . . . . . . . . . . . . . . . . . . . 19
3.1.1.3. pkiStatus . . . . . . . . . . . . . . . . . . . . 19
3.1.1.4. failInfo . . . . . . . . . . . . . . . . . . . . . 19
3.1.1.5. senderNonce and recipientNonce . . . . . . . . . . 20
3.1.1.6. signingTime Attribute . . . . . . . . . . . . . . 20
3.1.2. SCEP pkcsPKIEnvelope . . . . . . . . . . . . . . . . . 20
3.2. SCEP pkiMessage types . . . . . . . . . . . . . . . . . . 21
3.2.1. PKCSReq . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.2. CertRep . . . . . . . . . . . . . . . . . . . . . . . 21
3.2.2.1. CertRep SUCCESS . . . . . . . . . . . . . . . . . 22
3.2.2.2. CertRep FAILURE . . . . . . . . . . . . . . . . . 23
Pritikin, et al. Expires March 10, 2012 [Page 2]
�
Internet-Draft SCEP September 2011
3.2.2.3. CertRep PENDING . . . . . . . . . . . . . . . . . 23
3.2.3. GetCertInitial . . . . . . . . . . . . . . . . . . . . 23
3.2.3.1. IssuerAndSubject . . . . . . . . . . . . . . . . . 23
3.2.4. GetCert . . . . . . . . . . . . . . . . . . . . . . . 24
3.2.5. GetCRL . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3. Degenerate certificates-only PKCS#7 Signed-data . . . . . 25
4. SCEP Transactions . . . . . . . . . . . . . . . . . . . . . . 25
4.1. Get CA Certificate . . . . . . . . . . . . . . . . . . . . 25
4.1.1. Get CA Certificate Response Message Format . . . . . . 25
4.1.1.1. CA Certificate Response Message Format . . . . . . 26
4.1.1.2. CA/RA Certificate Response Message Format . . . . 26
4.2. Certificate Enrollment . . . . . . . . . . . . . . . . . . 26
4.2.1. Certificate Enrollment Response Message . . . . . . . 26
4.3. Poll for Requester Initial Certificate . . . . . . . . . . 26
4.3.1. Polling Response Message Format . . . . . . . . . . . 27
4.4. Certificate Access . . . . . . . . . . . . . . . . . . . . 27
4.4.1. Certificate Access Response Message Format . . . . . . 28
4.5. CRL Access . . . . . . . . . . . . . . . . . . . . . . . . 28
4.5.1. CRL Access Response Message Format . . . . . . . . . . 28
4.6. Get Next Certification Authority Certificate . . . . . . . 28
4.6.1. Get Next CA Response Message Format . . . . . . . . . 28
5. SCEP Transport . . . . . . . . . . . . . . . . . . . . . . . . 29
5.1. HTTP "GET" Message Format . . . . . . . . . . . . . . . . 29
5.1.1. Response Message Format . . . . . . . . . . . . . . . 29
5.2. SCEP HTTP Messages . . . . . . . . . . . . . . . . . . . . 29
5.2.1. GetCACert . . . . . . . . . . . . . . . . . . . . . . 30
5.2.1.1. GetCACert Response . . . . . . . . . . . . . . . . 30
5.2.2. PKCSReq . . . . . . . . . . . . . . . . . . . . . . . 30
5.2.2.1. PKCSReq Response . . . . . . . . . . . . . . . . . 31
5.2.3. GetCertInitial . . . . . . . . . . . . . . . . . . . . 31
5.2.3.1. GetCertInitial Response . . . . . . . . . . . . . 31
5.2.4. GetCert . . . . . . . . . . . . . . . . . . . . . . . 31
5.2.4.1. GetCert Response . . . . . . . . . . . . . . . . . 31
5.2.5. GetCRL . . . . . . . . . . . . . . . . . . . . . . . . 31
5.2.5.1. GetCRL Response . . . . . . . . . . . . . . . . . 32
5.2.6. GetNextCACert . . . . . . . . . . . . . . . . . . . . 32
5.2.6.1. GetNextCACert Response . . . . . . . . . . . . . . 32
6. Contributors/Acknowledgements . . . . . . . . . . . . . . . . 32
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
8. Security Considerations . . . . . . . . . . . . . . . . . . . 32
8.1. General Security . . . . . . . . . . . . . . . . . . . . . 33
8.2. Use of the CA keypair . . . . . . . . . . . . . . . . . . 34
8.3. ChallengePassword . . . . . . . . . . . . . . . . . . . . 34
8.4. transactionID . . . . . . . . . . . . . . . . . . . . . . 35
8.5. Nonces and Replay . . . . . . . . . . . . . . . . . . . . 35
8.6. Key Usage Issues . . . . . . . . . . . . . . . . . . . . . 35
8.7. GetCACaps Issues . . . . . . . . . . . . . . . . . . . . . 35
8.8. Unnecessary cryptography . . . . . . . . . . . . . . . . . 35
Pritikin, et al. Expires March 10, 2012 [Page 3]
�
Internet-Draft SCEP September 2011
8.9. GetNextCACert . . . . . . . . . . . . . . . . . . . . . . 36
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.1. Normative References . . . . . . . . . . . . . . . . . . . 36
9.2. Informative References . . . . . . . . . . . . . . . . . . 37
Appendix A. Private OID Definitions . . . . . . . . . . . . . . . 37
Appendix B. SCEP State Transitions . . . . . . . . . . . . . . . 38
Appendix C. CA Capabilities . . . . . . . . . . . . . . . . . . . 40
C.1. GetCACaps HTTP Message Format . . . . . . . . . . . . . . 40
C.2. CA Capabilities Response Format . . . . . . . . . . . . . 40
Appendix D. Client Certificate Renewal . . . . . . . . . . . . . 41
Appendix E. CA Key Rollover . . . . . . . . . . . . . . . . . . . 42
Appendix F. PKIOperation via HTTP POST Message . . . . . . . . . 43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43
Pritikin, et al. Expires March 10, 2012 [Page 4]
�
Internet-Draft SCEP September 2011
1. Introduction
Public key technology is widely available and increasingly widely
deployed. X.509 certificates serve as the basis for several
standards-based security protocols in the IETF, such as The Internet
Key Exchange (IKE) [RFC2409] and IKEv2 [RFC4306], and The Transport
Layer Security Protocol (TLS) [RFC4346]. When an X.509 certificate
is issued by other than the certificate subject (a self-issued
certificate), there typically is a need for a certificate management
protocol. Such a protocol enables a PKI client to request a
certificate, certificate renewal, or certificate revocation from a
Certification Authority (CA). Often there also is a need for
protocols to request certificate revocation status information,
although these functions are often provided by distinct mechanisms,
e.g. Certificaet Revocation Lists (CRLs) [RFC4523] or Online
Certificate Status Protocol (OCSP) [RFC2560].
This specification defines a protocol, Simple Certificate Enrollment
Protocol (SCEP), for certificate management and certificate and CRL
queries in a closed environment. While widely deployed, this
protocol omits some certificate management features, e.g. in-band
certificate revocation transactions, which can significantly enhance
the security achieved in a PKI. The IETF protocol suite currently
includes two certificate management protocols with more comprehensive
functionality: Certificate Management Protocol (CMP) [RFC4210] and
Certificate Management over CMS (CMC) [RFC5272]. Environments that
do not require interoperability with SCEP implementations SHOULD use
the above-mentioned, PKIX-standard certificate management protocols.
In light of the functionality gap between this specification and the
two IETF standards track protocols, this specification is being
published as Historic. Even when interoperability with the installed
base of SCEP implementations is needed, implementers are encouraged
to support one of these comprehensive standards track certificate
management protocols in addition to the protocol defined in this
specification. This implementation strategy balances near-term
requirements for interoperability with longer term security goals.
As a reflection of the history of SCEP implementations some of the
operations described in this document are indicated as 'SHOULD' or
'MAY' where a stricter protocol specification might have indicated a
'MUST'.
The protocol supports the following general operations:
o CA and Registration Authority (RA) public key distribution
o Certificate enrollment
Pritikin, et al. Expires March 10, 2012 [Page 5]
�
Internet-Draft SCEP September 2011
o Certificate query
o CRLquery
SCEP makes extensive use of PKCS#7 [RFC2315] and PKCS#10 [RFC2986].
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. SCEP Overview
This section provides a high level overview of the functionality of
SCEP.
2.1. SCEP Entities
The entity types defined in SCEP are
o the Requester (Section 2.1.1) (e.g., IPSEC clients)
o the Server, which may be either a Certification Authority (CA)
(Section 2.1.2) or a Registration Authority (RA) (Section 2.1.3)
2.1.1. Requester
The requester is sometimes called a "client" in this document. It is
the client of the SCEP exchange.
The requester MAY submit SCEP messages for itself or it MAY submit
SCEP messages on behalf of peers as described in Registration
Authority (Section 2.1.3). This section focuses on the requester
that is obtaining certificates for its own use.
Before a requester can start a PKI transaction, it MUST have at least
one appropriate key pair (e.g. RSA) for use when signing the SCEP
pkiMessage (Section 3.1).
The message types, being based on PKCS#7 [RFC2315] and PKCS#10
[RFC2986], fully support algorithm agility but the requester has to
use a key type that is supported by the server. RSA is the only
algorithm supported by current implementations.
A requester MUST have the following information locally configured:
Pritikin, et al. Expires March 10, 2012 [Page 6]
�
Internet-Draft SCEP September 2011
1. The Certification Authority IP address or fully qualified domain
name
2. The Certification Authority HTTP CGI script path
3. The identifying information that is used for authentication of
the Certification Authority in Section 4.1.1. This information
MAY be obtained from the user, or presented to the end user for
manual authorization during the protocol exchange (e.g. the user
indicates acceptance of a fingerprint via a user-interface
element).
The requester MUST have MESSAGE information configured if the
Certification Authority requires it (see Section 5.1).
The requester MAY maintain multiple independent configurations
appropriate for multiple Certification Authorities. Doing so does
not effect the protocol operation and is not in scope of this
document.
Certificate requests for certificates whose purpose is a specific
solution are encouraged to conform to the solution's profile, e.g.
[RFC4945] Section 5 for IKE/IPsec certificates.
2.1.2. Certification Authority
An SCEP Certification Authority (CA) is the entity that signs client
certificates. The CAs name appears in the issuer field of resulting
certificates.
Before any PKI operations can occur, the SCEP CA server obtains a
'CA' certificate that is compliant with the profile in [RFC5280].
This MAY be a CA certificate that was issued by a higher level CA.
The SCEP server CA certificate MUST be provided out-of-band to the
SCEP requester. The CA certificate fingerprint MAY be used to
authenticate a CA Certificate distributed by the GetCACert response
(Section 4.1.1). The fingerprint is created by calculating a SHA-1,
SHA-256, SHA-512, or MD5 hash on the whole CA certificate.
The certification authority MUST either include a
cRLDistributionPoint extension in every certificate it issues or
answer CRL queries itself, in which case it SHOULD be online at all
times. The certification authority SHOULD either answer certificate
queries or make certificates available via LDAP.
A certification authority may enforce any arbitrary policies,
including name uniqueness policies, and apply them to certification
Pritikin, et al. Expires March 10, 2012 [Page 7]
�
Internet-Draft SCEP September 2011
requests. The certification authority MAY reject any request. If
the client has already been issued a certificate for this keypair the
server MAY return the previously created certificate. The requester
MUST NOT assume any of the fields in the certification request,
except for the public key, will be the same in the certificate
issued.
If a client times out from polling for a pending request it can
resynchronize by reissuing the original request with the original
subject name, key, and transaction ID. The CA SHOULD return the
status of the original transaction, including the certificate if it
was granted. The CA SHOULD NOT create a new transaction unless the
original certificate has been revoked, or the transaction arrives
more than halfway through the validity period of the original
certificate.
2.1.3. Registration Authority
An SCEP Registration Authority (RA) is an SCEP server that performs
validation and authorization checks of the SCEP requester but
forwards the certification requests to the CA. The RAs name does not
appear in the issuer field of resulting certificates.
The RA MUST return the RA certificate, in addition to the CA
certificate, in the GetCACert Response (see Section 5.2.1.1.2). The
existence of an RA certificate in this response indicates to the
client that an RA is in use. In order to securely communicate with
an RA using SCEP Secure Message Objects (Section 3) the client
specifies the RA as the recipient of subsequent SCEP pkiMessages (see
Section 3.1.2).
In order to service certification requests the RA must pass the
requests to the CA server for signing. The RA MAY use SCEP to
communicate with the CA, in which case the RA acts as both an SCEP
server (between the client and the RA) and an SCEP requester (between
the RA and the CA). The RA MAY respond to client certificate
requests with a PENDING response while communicating with the CA; for
example if the CA must manually authorize a certification request and
thus returns PENDING to the RA the RA may respond with PENDING to the
client while polling the CA.
Communication between the RA and the CA MAY be over other protocols
such as Certificate Management over CMS [RFC5272].
2.2. Requester authentication
As with every protocol that uses public-key cryptography, the
association between the public keys used in the protocol and the
Pritikin, et al. Expires March 10, 2012 [Page 8]
�
Internet-Draft SCEP September 2011
identities with which they are associated must be authenticated in a
cryptographically secure manner. This requirement is needed to
prevent a "man-in-the-middle" attack, in which an adversary can
manipulate the data as it travels between the protocol participants
and subvert the security of the protocol.
The communication between the requester and the certification
authority are secured using SCEP Secure Message Objects (Section 3)
which specifies how PKCS#7 [RFC2315] is used to encrypt and sign the
data. In order to perform the signing operation the client uses an
appropriate local certificate:
1. If the requesting system already has a certificate issued by the
SCEP server, and the server supports renewal (see Appendix C),
that certificate SHOULD be used.
2. If the requesting system has no certificate issued by the new CA,
but has credentials from an alternate CA the certificate issued
by the alternate CA MAY be used. Policy settings on the new CA
will determine if the request can be accepted or not. This is
useful when enrolling with a new administrative domain; by using
a certificate from the old domain as credentials.
3. If the requester does not have an appropriate existing
certificate, then a locally generated self-signed certificate
MUST be used instead. The self-signed certificate MUST use the
same subject name as in the PKCS#10 request.
During the certificate enrollment, the requester MUST use the
selected certificate's keypair when signing the PKCS#7 [RFC2315] (see
Section 3). The server CertResp uses this signing certificate's
public key when encrypting the response (see Section 3.2.2).
When the certification authority creates the PKCS#7 [RFC2315]
envelope on the issued certificate, it SHOULD use the public key,
issuer name, and serial number conveyed in the above included
certificate. This will inform the end entity of which private key is
needed to open the envelope. Note that when a client enrolls for
separate encryption and signature certificates, it MAY use the
signature certificate to sign both requests, and then expect its
signature key to be used to encrypt both responses. In any case, the
RecipientInfo on the envelope MUST reflect the key used to encrypt
the request.
2.3. Enrollment authorization
There are two mechanisms for automated enrollment authorization.
Pritikin, et al. Expires March 10, 2012 [Page 9]
�
Internet-Draft SCEP September 2011
When the client uses a keypair that is associated with a certificate
which is not self-signed to sign SCEP messages the server MAY use
this certificate to authenticate the client and determine the
appropriate authorization. The SCEP server SHOULD implement
appropriate logic to support client authentication and automated
enrollment using existing client credentials that were issued by an
alternate PKI hierarchy, in addition to the policy requirements
implied by optional support of renewal (see Appendix D). The SCEP
server MUST NOT attempt to authenticate a client based on a self-
signed certificate.
PKCS#10 [RFC2986] specifies a PKCS#9 [RFC2985] challengePassword
attribute to be sent as part of the enrollment request. Inclusion of
the challengePassword by the SCEP client is OPTIONAL and allows for
unauthenticated authorization of enrollment requests. The PKCS#7
[RFC2315] envelope protects the privacy of the challenge password.
When utilizing the challengePassword, the server distributes a shared
secret to the requester which will uniquely associate the enrollment
request with the requester. The distribution of the secret must be
private: only the end entity should know this secret. The actual
binding mechanism between the requester and the secret is subject to
the server policy and implementation.
A client that is performing certificate renewal as per Appendix D
SHOULD send an empty challenge password (i.e. use the empty string as
the challenge password) but MAY send the originally distributed
challenge password in the challengePassword attribute. In the former
case the SCEP CA MUST authenticate the request based on the
certificate used to sign the renewal request. In the latter case the
SCEP CA MAY use either the challengePassword or the previously issued
certificate (or both) to authenticate the request.
In the manual mode the requester's messages are placed in the PENDING
state until the CA operator authorizes or rejects them. Manual
authorization is used when the client has only a self-signed
certificate and/or a challengePassword is not available. The SCEP
server MAY either reject unauthorized certification requests or mark
them for manual authorization according to server configuration.
The requester generates a SHA-1, SHA-256, SHA-512, or MD5
'fingerprint' of the PKCS#10 [RFC2986] (before PKCS#7 [RFC2315]
enveloping and signing). This fingerprint is sent to the CA operator
using an out-of-band method. The CA operator MUST compared this
fingerprint to a locally generated fingerprint based on the message
received during the SCEP exchange.
SCEP clients and CAs (or RAs, if appropriate) MUST support display of
Pritikin, et al. Expires March 10, 2012 [Page 10]
�
Internet-Draft SCEP September 2011
this fingerprint to the operator to enable this authorization method.
The out-of-band distribution and comparison of fingerprints is not
covered by this document.
2.4. CA/RA Certificate Distribution
If the CA and/or RA certificates have not previously been acquired by
the requester in some other means, the requester MUST retrieve the
CA/RA certificates before any PKI operation (Section 3) can be
started.
Since no public key has yet been exchanged between the requester and
the CA/RA, the messages cannot be secured using PKCS#7 [RFC2315], and
the data is instead transferred in the clear.
If an RA is in use, a certificates-only PKCS#7 [RFC2315] SignedData
with a certificate chain consisting of both RA and CA certificates is
returned. Otherwise the CA certificate itself is returned. The
transport protocol (Section 5) MUST indicate which one is returned.
After the requester gets the CA certificate, it MUST authenticate the
CA certificate by comparing the CA certificate fingerprint (see
Section 2.1.2) with the locally configured, out-of-band distributed,
identifying information. RA certificates, if any, are signed by the
CA so there is no need to authenticate them against the out-of-band
data. Clients MUST verify the RA certificate signatures before use
during protocol exchanges.
Clients MUST verify the authorization of the RA certificates. The
authorization mechanism is specified by the CA administrator and is
out of scope for this document.
Because a long time can pass between queries from a requester to a
CA/RA and because RA certificates can change at any time, it is
recommended that a requester not store RA certificates. Instead, the
requester SHOULD retrieve the CA/RA certificates before each
operation.
2.5. Certificate Enrollment
A requester starts an enrollment (Section 3.2.1) transaction by
creating a certificate request using PKCS#10 [RFC2986] and sends it
to the CA/RA enveloped using the PKCS#7 (Section 3).
It is up to local CA policy (and CA implementation) as to whether a
certificate is granted automatically, or whether it is manually
granted by the administrator. The challengePassword MAY be used to
automatically authorize the request.
Pritikin, et al. Expires March 10, 2012 [Page 11]
�
Internet-Draft SCEP September 2011
If the CA/RA returns a CertRep (Section 3.2.2) message with status
set to PENDING, the requester enters into polling mode by
periodically sending a GetCertInitial (Section 3.2.3) PKI message to
the CA/RA, until the CA/RA operator completes the manual
authentication (approving or denying the request).
In general, the requester will send a single PKCSReq (Section 3.2.1)
message, followed by 0 or more GetCertInitial (Section 3.2.3)
messages, if polling mode is entered.
In general, the CA/RA will send 0 or more CertRep (Section 3.2.2)
messages with status set to PENDING, followed by a single CertRep
(Section 3.2.2) with status set to either SUCCESS or FAILURE.
2.5.1. Client State Transitions
The requester state transitions during enrollment operation are
indicated in Figure 1.
GetCertInitial
+----<---+
| | CertRep(PENDING),
| | GetCertInitial send-timeout,
| | new-poll timer
| |
[CERT-NONEXISTANT] -----+---> [CERT-REQ-PENDING] [CERT-ISSUED]
^ PKCSReq | | ^
| | | |
| | +---------------+
| | CertRep(SUCCESS)
+--------------------------+
CertRep(FAILURE),
PKCSReq send-timeout,
max-time/max-polls exceeded
Figure 1: State Transition Diagram
Certificate enrollment starts at the state CERT-NONEXISTANT.
Sending a PKCSReq message changes the state to CERT-REQ-PENDING. If
there is no response, or sending is not possible, the state reverts
back to CERT-NONEXISTANT.
Receiving a CertRep message with pkiStatus set to SUCCESS changes the
state to CERT-ISSUED.
Receiving a CertRep message with pkiStatus set to FAILURE changes the
Pritikin, et al. Expires March 10, 2012 [Page 12]
�
Internet-Draft SCEP September 2011
state to CERT-NONEXISTANT.
If the server sends back a CertRep message with pkiStatus set to
PENDING, the requester will keep polling by sending a GetCertInitial
message to the server, until either a CertRep message with status set
to SUCCESS or FAILURE is received, or the maximum number of polls has
been exceeded.
If the maximum number of polls has been exceeded or a CertRep message
with pkiStatus set to FAILURE is received while in the CERT-REQ-
PENDING state, the end entity will transition to the CERT-NONEXISTANT
state, and the SCEP client can eventually initiate another enrollment
request. It is important to note that, as long as the requester does
not change its subject name or keys, the same transaction ID will be
used in the "new" transaction. This is important because based on
this transaction ID, the certification authority can recognize this
as an existing transaction instead of a new one.
A successful transaction in automatic mode:
REQUESTER CA SERVER
PKCSReq: PKI cert. enrollment msg
--------------------------------> CertRep: pkiStatus = SUCCESS
certificate attached
<------------------------------
Receive issued certificate.
Figure 2: Automatic mode transaction
Pritikin, et al. Expires March 10, 2012 [Page 13]
�
Internet-Draft SCEP September 2011
A successful transaction in manual mode:
REQUESTER CA SERVER
PKCSReq: PKI cert. enrollment msg
--------------------------------> CertRep: pkiStatus = PENDING
<------------------------------
GetCertInitial: polling msg
--------------------------------> CertRep: pkiStatus = PENDING
<------------------------------
................ <manual identity authentication>...............
GetCertInitial: polling msg
--------------------------------> CertRep: pkiStatus = SUCCESS
certificate attached
<------------------------------
Receive issued certificate.
Figure 3: Manual mode transaction
2.6. Certificate Access
A certificate query message is defined for clients to retrieve a copy
of their own certificates from the CA. It allows clients that do not
store their certificate locally to obtain a copy when needed. This
functionality is not intended to provide a general purpose
certificate directory service.
To query a certificate from the certification authority, a requester
sends a request consisting of the certificate's issuer name and
serial number. This assumes that the requester has saved the issuer
name and the serial number of the issued certificate from the
previous enrollment transaction. The transaction to query a
certificate consists of one GetCert (Section 3.2.4) message and one
CertRep (Section 3.2.2) message, as shown in Figure 4.
REQUESTER CA SERVER
GetCert: PKI certificate query msg
-------------------------------> CertRep: pkiStatus = SUCCESS
certificate attached
<-----------------------------
Receive the certificate.
Figure 4: GetCert Transaction
2.7. CRL Access
SCEP clients request a CRL via one of two methods:
Pritikin, et al. Expires March 10, 2012 [Page 14]
�
Internet-Draft SCEP September 2011
1. If the CA supports CRL Distribution Points (CDPs) [RFC5280]
(Section 4.2.1.13), then the CRL MUST be retrieved via the
mechanism specified in the CDP.
2. If the CA does not support CDP's, a CRL query is composed by
creating a GetCRL message consisting of the issuer name and
serial number from a certificate within the scope of the CRL to
be retrieved (e.g. from a certificate to be validated).
The server SHOULD NOT support the GetCRL method because:
o it does not scale well due to the unnecessary cryptography (see,
Section 8.8)
o it requires the CA to be a high-availability service
o only limited information to determine the CRL scope is provided
(see [RFC5280] Section 5).
The message is sent to the SCEP server in the same way as the other
SCEP requests: The transaction to retrieve a CRL consists of one
GetCRL PKI message and one CertRep PKI message, which contains only
the CRL (no certificates), as shown in Figure 5.
On receipt of this message, the SCEP server MAY use the
IssuerAndSerial information to return an appropriate CRL.
REQUESTER CA SERVER
GetCRL: PKI CRL query msg
---------------------------------->
CertRep: CRL attached
<--------------------------------
Figure 5: GetCRL Transaction
2.8. Certificate Revocation
SCEP does not specify a method to request certificate revocation.
In order to revoke a certificate, the requester must contact the CA
server operator using a non-SCEP defined mechanism. Although the
PKCS#10 [RFC2986] challengePassword is used by SCEP for enrollment
authorization (see Enrollment authorization (Section 2.3)) this does
not inhibit the CA server from maintaining a record of the
challengePassword to use during subsequent revocation operations as
implied by [RFC2985].
Pritikin, et al. Expires March 10, 2012 [Page 15]
�
Internet-Draft SCEP September 2011
3. SCEP Secure Message Objects
PKCS#7 [RFC2315] is a general enveloping mechanism that enables both
signed and encrypted transmission of arbitrary data.
All messages MUST be valid PKCS#7 [RFC2315] structures, unless
otherwise noted.
SCEP messages that require confidentiality use two layers of PKCS#7,
as shown in Figure 6. By applying both enveloping and signing
transformations, the SCEP message is protected both for the integrity
of its end-to-end transaction information and the confidentiality of
its information portion. The advantage of this technique over the
conventional transaction message format is that the signed
transaction type information and the status of the transaction can be
determined prior to invoking security handling procedures specific to
the information portion being processed.
Some messages do not require enveloping, in which case the
EnvelopedData in Figure 6 is omitted.
ContentType = SignedData (called pkiMessage)
SignerInfo
Signature
authenticatedAttributes
transactionID
messageType
pkiStatus
failInfo
senderNonce
recipientNonce
etc
ContentInfo type = EnvelopedData (called pkcsPKIEnvelope; optional)
RecipientInfo
ContentInfo type = Data
messageData
Figure 6: PKCS#7 Layering
Description:
o The outer PKCS#7 is a pkiMessage (Section 3.1).
o The SignedData ContentInfo, if present (e.g. FAILURE and PENDING
CertRep messages will lack any signed content), MUST be a
pkcsPKIEnvelope (Section 3.1.2).
Pritikin, et al. Expires March 10, 2012 [Page 16]
�
Internet-Draft SCEP September 2011
When a particular SCEP message carries data, this data is carried in
the messageData.
Note: The remainder of this document will refer only to
'messageData', but it is understood to always be encapsulated in the
pkcsPKIEnvelope (Section 3.1.2). The format of the data in the
messageData is defined by the messageType attribute (see
Section 3.1.1) of the SignedData. If there is no messageData to be
transmitted, the entire pkcsPKIEnvelope MUST be omitted.
3.1. SCEP pkiMessage
The basic building block of all secured SCEP messages is the SCEP
pkiMessage. It consists of an PKCS#7 signed-data content type, as
defined in PKCS#7 [RFC2315] Section 9. The following restrictions
apply:
o version MUST be 1
o the contentType in contentInfo MUST be data ({pkcs-7 1}) as
defined in PKCS#7 [RFC2315] Section 8.
o The signed content, if present (e.g. FAILURE and PENDING CertRep
messages will lack any signed content), MUST be a pkcsPKIEnvelope
(Section 3.1.2), and MUST match the messageType attribute.
o The SignerInfo MUST contain a set of authenticatedAttributes (see
PKCS#7 [RFC2315] Section 9.2 as well as Section 3.1.1 in this
document). All messages MUST contain
* an SCEP transactionID attribute
* an SCEP messageType attribute
* an SCEP senderNonce attribute
* any attributes required by PKCS#7 [RFC2315] Section 9.2
If the message is a response, it MUST also include
* an SCEP pkiStatus attribute
* an SCEP recipientNonce attribute
Pritikin, et al. Expires March 10, 2012 [Page 17]
�
Internet-Draft SCEP September 2011
3.1.1. Signed Transaction Attributes
The following transaction attributes are encoded as authenticated
attributes, and are carried, as specified in PKCS#7 [RFC2315] Section
9.2, in the SignerInfo for this signedData.
Please refer to Appendix A for the OID definitions.
+----------------+-----------------+---------------------------+
| Attribute | Encoding | Comment |
+----------------+-----------------+---------------------------+
| transactionID | PrintableString | Hash value as a string |
| messageType | PrintableString | Decimal value as a string |
| pkiStatus | PrintableString | Decimal value as a string |
| failInfo | PrintableString | Decimal value as a string |
| senderNonce | OCTET STRING | |
| recipientNonce | OCTET STRING | |
+----------------+-----------------+---------------------------+
Transaction Attributes
The attributes are detailed in the following sections.
3.1.1.1. transactionID
A PKI operation is a transaction consisting of the messages exchanged
between a requester and the server. The transaction identifier is a
string generated by the client when starting a transaction. The
client MUST generate a unique string as the transaction identifier,
which MUST be used for all PKI messages exchanged for a given
enrollment, encoded as a PrintableString.
The transactionID SHOULD be generated as a SHA-1, SHA-256, SHA-512 or
MD5 hash on the public key value for which the enrollment request is
made. This allows the SCEP client to automatically generate the same
transactionID for any given keypair. The SCEP protocol requires that
transactionIDs be unique, so that subsequent polling queries can be
matched with previous transactions. When separate signing and
encryption certificates are requested by the client, using distinct
keypairs ensures that distinct transactionIDs are also used.
When using the certificate query and CRL query messages defined in
this protocol, the transactionID is required so that the requester
can match the response message with the outstanding request message.
When using LDAP to query the certificate and the CRL, the behavior is
specified by the LDAP protocol. For a non-enrollment message (for
example GetCert and GetCRL), the transactionID SHOULD be a number
unique to the client.
Pritikin, et al. Expires March 10, 2012 [Page 18]
�
Internet-Draft SCEP September 2011
3.1.1.2. messageType
The messageType attribute specifies the type of operation performed
by the transaction. This attribute MUST be included in all PKI
messages. The following message types are defined:
o PKCSReq (19) -- PKCS#10 [RFC2986] certificate request
o CertRep (3) -- Response to certificate or CRL request
o GetCertInitial (20) -- Certificate polling in manual enrollment
o GetCert (21) -- Retrieve a certificate
o GetCRL (22) -- Retrieve a CRL
Undefined message types are treated as an error.
3.1.1.3. pkiStatus
All response messages MUST include transaction status information,
which is defined as pkiStatus attribute:
o SUCCESS (0) -- request granted
o FAILURE (2) -- request rejected. When pkiStatus is FAILURE, the
failInfo attribute, as defined in Section 3.1.1.4, MUST also be
present.
o PENDING (3) -- request pending for manual approval
Undefined pkiStatus attributes are treated as an error.
3.1.1.4. failInfo
The failInfo attribute MUST contain one of the following failure
reasons:
o badAlg (0) -- Unrecognized or unsupported algorithm identifier
o badMessageCheck (1) -- integrity check failed
o badRequest (2) -- transaction not permitted or supported
o badTime (3) -- The signingTime attribute from the PKCS#7
authenticatedAttributes was not sufficiently close to the system
time (see Section 3.1.1.6).
Pritikin, et al. Expires March 10, 2012 [Page 19]
�
Internet-Draft SCEP September 2011
o badCertId (4) -- No certificate could be identified matching the
provided criteria
Undefined failInfo attributes are treated as an error.
3.1.1.5. senderNonce and recipientNonce
The attributes of senderNonce and recipientNonce are a 16 byte random
number generated for each transaction. These are intended to prevent
replay attacks.
When a requester sends a PKI message to the server, a senderNonce
MUST be included in the message.
The recipient SHOULD copy the senderNonce into the recipientNonce of
the reply as a proof of liveliness.
The requester SHOULD verify that the recipientNonce of the reply
matches the senderNonce it sent in the request.
3.1.1.6. signingTime Attribute
The signingTime attribute is defined in [RFC2985] Section 5.3.3, and
is carried as specified in [RFC2315] Section 9.2. This attribute is
OPTIONAL.
3.1.2. SCEP pkcsPKIEnvelope
The information portion of a SCEP message is carried inside an
enveloped-data content type, as defined in PKCS#7 [RFC2315] Section
10, with the following restrictions:
o version MUST be 0
o contentType in encryptedContentInfo MUST be data ({pkcs-7 1}) as
defined in PKCS#7 [RFC2315] Section 8.
o encryptedContent MUST be the SCEP message being transported (see
Section 4), and must match the messageType authenticated Attribute
in the pkiMessage.
The PKCS#7 [RFC2315] content-encryption key (see Section 10, step 2)
is encrypted using the public key of the recipient of the message,
i.e. the RA or the CA public key (if sent from the requester), or the
requester public key (if sent as a reply to the requester).
Pritikin, et al. Expires March 10, 2012 [Page 20]
�
Internet-Draft SCEP September 2011
3.2. SCEP pkiMessage types
All of the messages in this section are pkiMessages (Section 3.1),
where the type of the message MUST be specified in the 'messageType'
authenticated Attribute. Each section defines a valid message type,
the corresponding messageData formats, and mandatory authenticated
attributes for that type.
3.2.1. PKCSReq
The messageData for this type consists of a PKCS#10 Certification
Request [RFC2986]. The certification request MAY contain any fields
defined in PKCS#10 [RFC2986], and MUST contain at least the following
items:
o the subject Distinguished Name
o the subject public key
o a challengePassword attribute. The Challenge Password may be used
to (out-of-band) authenticate the enrollment request itself, or in
an out-of-band revocation request for the issued certificate.
In addition to the authenticatedAttributes required for a valid
PKCS#7 [RFC2315], this pkiMessage MUST include the following
attributes:
o a transactionID (Section 3.1.1.1) attribute
o a messageType (Section 3.1.1.2) attribute set to PKCSReq
o a senderNonce (Section 3.1.1.5) attribute
The pkcsPKIEnvelope for this message type is protected using the
public key of the recipient as detailed in Section 3.1.2, e.g. either
the CA or RA public key.
3.2.2. CertRep
The messageData for this type consists of a degenerate certificates-
only PKCS#7 Signed-data (Section 3.3). The exact content required
for the reply depends on the type of request this message is a reply
to. They are detailed in Table 1 and in Section 4.
In addition to the authenticatedAttributes required for a valid
PKCS#7 [RFC2315], this pkiMessage MUST include the following
attributes:
Pritikin, et al. Expires March 10, 2012 [Page 21]
�
Internet-Draft SCEP September 2011
o the transactionID (Section 3.1.1.1) attribute copied from the
request we are responding to
o a messageType (Section 3.1.1.2) attribute set to CertRep
o a senderNonce (Section 3.1.1.5) attribute
o a recipientNonce attribute (Section 3.1.1.5) copied from the
senderNonce from the request we are responding to.
o a pkiStatus (Section 3.1.1.3) set to the status of the reply.
The pkcsPKIEnvelope for this message type is protected using the
public key of the recipient as detailed in Section 3.1.2. For
example if a self-signed certificate was used to send the original
request then this self-signed certificate's public key is used to
encrypt the content-encryption key of the SUCCESS response's
pkcsPKIEnvelope.
3.2.2.1. CertRep SUCCESS
When the pkiStatus attribute is set to SUCCESS, the messageData for
this message consists of a degenerate certificates-only PKCS#7
Signed-data (Section 3.3). The content of this degenerate
certificates-only Signed-Data depends on what the original request
was, as outlined in Table 1.
+----------------+--------------------------------------------------+
| Request-type | Reply-contents |
+----------------+--------------------------------------------------+
| PKCSReq | the reply MUST contain at least the issued |
| | certificate in the certificates field of the |
| | Signed-Data. The reply MAY contain additional |
| | certificates, but the issued certificate MUST be |
| | the first in the list. The reply MUST NOT |
| | contain a CRL. All returned certificates MUST |
| | conform to [RFC5280]. |
| GetCertInitial | same as PKCSReq |
| GetCert | the reply MUST contain at least the requested |
| | certificate in the certificates field of the |
| | Signed-Data. The reply MAY contain additional |
| | certificates, but the requested certificate MUST |
| | be the first in the list. The reply MUST NOT |
| | contain a CRL. All returned certificates MUST |
| | conform to [RFC5280]. |
Pritikin, et al. Expires March 10, 2012 [Page 22]
�
Internet-Draft SCEP September 2011
| GetCRL | the reply MUST contain the CRL in the crls field |
| | of the Signed-Data. The reply MUST NOT contain |
| | a certificate. The CRL MUST be a valid CRL |
| | according to [RFC5280]. |
+----------------+--------------------------------------------------+
Table 1: CertRep Types
3.2.2.2. CertRep FAILURE
When the pkiStatus attribute is set to FAILURE, the reply MUST also
contain a failInfo (Section 3.1.1.4) attribute set to the appropriate
error condition describing the failure. The pkcsPKIEnvelope
(Section 3.1.2) MUST be omitted.
3.2.2.3. CertRep PENDING
When the pkiStatus attribute is set to PENDING, the pkcsPKIEnvelope
(Section 3.1.2) MUST be omitted.
3.2.3. GetCertInitial
The messageData for this type consists of a IssuerAndSubject
(Section 3.2.3.1). The issuer is set to the issuerName from the
certification authority from which we are issued certificates. The
Subject is set to the SubjectName we used when requesting the
certificate.
In addition to the authenticatedAttributes required for a valid
PKCS#7 [RFC2315], this pkiMessage MUST include the following
attributes:
o the same transactionID (Section 3.1.1.1) attribute from original
PKCSReq message
o a messageType (Section 3.1.1.2) attribute set to GetCertInitial
o a senderNonce (Section 3.1.1.5) attribute
3.2.3.1. IssuerAndSubject
Similar to the IssuerAndSerial defined in PKCS#7 [RFC2315] Section
6.7, we need to define an IssuerAndSubject ASN.1 type (Figure 7).
Pritikin, et al. Expires March 10, 2012 [Page 23]
�
Internet-Draft SCEP September 2011
The ASN.1 definition of the issuerAndSubject type is as follows:
issuerAndSubject ::= SEQUENCE {
issuer Name,
subject Name
}
Figure 7: IssuerAndSubject ASN.1
3.2.4. GetCert
The messageData for this type consists of a IssuerAndSerial as
defined in PKCS#7 [RFC2315] Section 6.7 containing the "distinguished
name of the certificate issuer and an issuer-specific certificate
serial number" which uniquely identifies the certificate being
requested.
In addition to the authenticatedAttributes required for a valid
PKCS#7 [RFC2315], this pkiMessage MUST include the following
attributes:
o a transactionID (Section 3.1.1.1) attribute
o a messageType (Section 3.1.1.2) attribute set to GetCert
o a senderNonce (Section 3.1.1.5) attribute
A self-signed certificate MAY be used in the signed envelope. This
enables the requester to request their own certificate if they were
unable to store it previously.
3.2.5. GetCRL
The messageData for this type consists of a IssuerAndSerial as
defined in PKCS#7 [RFC2315] Section 6.7 along with the issuer name
and serial number from the certificate to be validated.
In addition to the authenticatedAttributes required for a valid
PKCS#7 [RFC2315], this pkiMessage MUST include the following
attributes:
o a transactionID (Section 3.1.1.1) attribute
o a messageType (Section 3.1.1.2) attribute set to GetCRL
o a senderNonce (Section 3.1.1.5) attribute
Pritikin, et al. Expires March 10, 2012 [Page 24]
�
Internet-Draft SCEP September 2011
3.3. Degenerate certificates-only PKCS#7 Signed-data
[RFC2315] Section 9 includes a degenerate case of the PKCS#7 Signed-
data content type, in which there are no signers. The use of such a
degenerate case is to disseminate certificates and certificate-
revocation lists. For SCEP the content field of the ContentInfo
value of a degenerate certificates-only Signed-Data MUST be omitted.
When carrying certificates, the certificates are included in the
'certificates' field of the Signed-Data. When carrying a CRL, the
CRL will be included in the 'crls' field of the Signed-Data.
4. SCEP Transactions
This section describes the SCEP Transactions, without explaining the
transport. The transport of each message is discussed in Section 5.
Some of the transaction-requests have no data to send, i.e. the only
data is the message-type itself (e.g. a GetCACert message has no
additional data). The use of such messages will become clearer in
Section 5.
In this section, each SCEP transaction is specified in terms of the
complete messages exchanged during the transaction.
The order of the transactions in this section is mirrored in
Section 5.2 for better organization and readability.
4.1. Get CA Certificate
To get the CA certificate(s), the requester sends a GetCACert message
to the server. There is no request data associated with this message
(see Section 5.2.1).
4.1.1. Get CA Certificate Response Message Format
The response depends on whether the responding server has RA
certificates or only a single CA certificate. The server MUST
indicate which response it is sending via the transport protocol used
(see Section 5.2.1).
All returned certificates MUST conform to [RFC5280].
A fingerprint is generated using the SHA-1, SHA-256, SHA-512 or MD5
hash algorithm on the whole CA certificate received by the requester
(regardless of the presence of RA certificates). If the requester
does not have a certificate path to a trust anchor certificate, this
fingerprint may be used to verify the certificate, by some positive
Pritikin, et al. Expires March 10, 2012 [Page 25]
�
Internet-Draft SCEP September 2011
out-of-band means, such as a phone call or prior configuration.
4.1.1.1. CA Certificate Response Message Format
If the server is a certification authority and does not have any RA
Certificates, the response consists of a single X.509 CA certificate.
4.1.1.2. CA/RA Certificate Response Message Format
If the server has RA Certificates, the response consists of a
degenerate certificates-only PKCS#7 Signed-data (Section 3.3)
containing the CA certificate and RA certificates.
4.2. Certificate Enrollment
A PKCSReq (Section 3.2.1) message is used to perform a certificate
enrollment transaction.
The reply MUST be a CertRep (Section 3.2.2) message sent back from
the server, indicating SUCCESS, FAILURE, or PENDING.
Precondition: Both the requester and the certification authority have
completed their initialization process. The requester has already
been configured with the CA/RA certificate.
Postcondition: The requester receives the certificate, the request is
rejected, or the request is pending. A pending response might
indicate that manual authentication is necessary.
4.2.1. Certificate Enrollment Response Message
If the request is granted, a CertRep (Section 3.2.2) message with
pkiStatus set to SUCCESS is returned. The reply MUST also contain
the certificate (and MAY contain any other certificates needed by the
requester). The issued certificate MUST be the first in the list.
If the request is rejected, a CertRep (Section 3.2.2) message with
pkiStatus set to FAILURE is returned. The reply MUST also contain a
failInfo attribute.
If the the CA is configured to manually authenticate the requester, a
CertRep (Section 3.2.2) message with pkiStatus set to PENDING MAY be
returned. The CA MAY return a PENDING for other reasons.
4.3. Poll for Requester Initial Certificate
Triggered by a CertRep (Section 3.2.2) with pkiStatus set to PENDING,
a requester will enter the polling state by periodically sending
Pritikin, et al. Expires March 10, 2012 [Page 26]
�
Internet-Draft SCEP September 2011
GetCertInitial (Section 3.2.3) to the server, until either the
request is granted and the certificate is sent back, or the request
is rejected, or the configured time limit for polling (or maximum
number of polls) is exceeded.
Since GetCertInitial is part of the enrollment, the messages
exchanged during the polling period MUST carry the same transactionID
attribute as the previous PKCSReq. A server receiving a
GetCertInitial for which it does not have a matching PKCSReq MUST
ignore this request.
Since at this time the certificate has not been issued, the requester
can only use its own subject name (which was contained in the
original PKCS#10 sent via PKCSReq) to identify the polled certificate
request. Since there can be multiple outstanding requests from one
requester (for example, if different keys and different key-usages
were used to request multiple certificates), the transaction ID must
also be included, to disambiguate between multiple requests.
PreCondition: The requester has received a CertRep with pkiStatus set
to PENDING.
PostCondition: The requester has either received a valid response,
which could be either a valid certificate (pkiStatus = SUCCESS), or a
FAILURE message, or the polling period times out.
4.3.1. Polling Response Message Format
The response messages for GetCertInitial are the same as in
Section 4.2.1.
4.4. Certificate Access
A requester can query an issued certificate from the SCEP server, as
long as the requester knows the issuer name and the issuer assigned
certificate serial number. This transaction is not intended to
provide a generic certificate directory service.
This transaction consists of one GetCert (Section 3.2.4) message sent
to the server by a requester, and one CertRep (Section 3.2.2) message
sent back from the server.
PreCondition: The certification authority has issued the queried
certificate and the issuer assigned serial number is known.
PostCondition: Either the certificate is sent back or the request is
rejected.
Pritikin, et al. Expires March 10, 2012 [Page 27]
�
Internet-Draft SCEP September 2011
4.4.1. Certificate Access Response Message Format
In this case, the CertRep from the server is same as in
Section 4.2.1, except that the server will only either grant the
request (SUCCESS) or reject the request (FAILURE).
4.5. CRL Access
Clients MAY request a CRL from the SCEP server as described in
Section 2.7.
PreCondition: The certification authority certificate has been
downloaded to the end entity.
PostCondition: CRL sent back to the requester.
4.5.1. CRL Access Response Message Format
The CRL is sent back to the requester in a CertRep (Section 3.2.2)
message. The information portion of this message is a degenerate
certificates-only Signed-data (Section 3.3) that contains only the
most recent CRL in the crls field of the Signed-Data.
The server MAY return any appropriate CRL.
4.6. Get Next Certification Authority Certificate
When a CA certificate is about to expire, clients need to retrieve
the CA's next CA certificate (i.e. the Rollover Certificate). This
is done via the GetNextCACert message. There is no request data
associated with this message (see Section 5.2.6).
4.6.1. Get Next CA Response Message Format
The response consists of a SignedData PKCS#7 [RFC2315], signed by the
current CA (or RA) signing key.
Clients MUST validate the signature on the the SignedData PKCS#7
[RFC2315] before accepting any of its contents.
The content of the SignedData PKCS#7 [RFC2315] is a degenerate
certificates-only Signed-data (Section 3.3) message containing the
new CA certificate and any new RA certificates, as defined in
Section 5.2.1.1.2, to be used when the current CA certificate
expires.
If the CA (or RA) does not have the Rollover certificate(s) it MUST
reject the request. It SHOULD also remove the GetNextCACert setting
Pritikin, et al. Expires March 10, 2012 [Page 28]
�
Internet-Draft SCEP September 2011
from the capabilities until it does have rollover certificates.
If there are any RA certificates in this response, clients MUST check
that these RA certificates are signed by the CA, and MUST check
authorization of these RA certificates (see Section 2.1.3).
5. SCEP Transport
HTTP [RFC2616] is used as the transport protocol for SCEP Message
Objects.
5.1. HTTP "GET" Message Format
SCEP uses the HTTP "GET" messages to request information from the CA.
The following defines the syntax of a HTTP GET message sent from a
requester to a certification authority server:
"GET" CGI-PATH CGI-PROG "?operation=" OPERATION "&message=" MESSAGE
where:
o CGI-PATH defines the actual CGI path to invoke the CGI program
that parses the request.
o CGI-PROG is set to be the string "pkiclient.exe". This is
intended to be the program that the CA will use to handle the SCEP
transactions, though the CA may ignore CGI-PROG and use only the
CGI-PATH.
o OPERATION depends on the SCEP transaction and is defined in the
following sections.
o MESSAGE depends on the SCEP transaction and is defined in the
following sections.
If the CA supports it, requests SHOULD be done via an HTTP POST.
This is described in Appendix F.
5.1.1. Response Message Format
For each GET operation, the CA/RA server MUST return a Content-Type
and appropriate response data, if any.
5.2. SCEP HTTP Messages
This section describes the OPERATION and MESSAGE values for SCEP
exchanges.
Pritikin, et al. Expires March 10, 2012 [Page 29]
�
Internet-Draft SCEP September 2011
5.2.1. GetCACert
The OPERATION MUST be set to "GetCACert".
The MESSAGE MAY be omitted, or it MAY be a string that represents the
certification authority issuer identifier. A CA Administrator
defined string allows for multiple CAs supported by one SCEP server.
5.2.1.1. GetCACert Response
The response for GetCACert is different between the case where the CA
directly communicates with the requester during the enrollment, and
the case where a RA exists and the requester communicates with the RA
during the enrollment.
5.2.1.1.1. CA Certificate Only Response
The response will have a Content-Type of "application/
x-x509-ca-cert".
The body of this response consists of an X.509 CA certificate, as
defined in Section 4.1.1.1.
"Content-Type:application/x-x509-ca-cert\n\n"<binary X.509>
5.2.1.1.2. CA and RA Certificates Response
The response will have a Content-Type of "application/
x-x509-ca-ra-cert".
The body of this response consists of a degenerate certificates-only
PKCS#7 Signed-data (Section 3.3) containing both CA and RA
certificates, as defined in Section 4.1.1.2.
"Content-Type:application/x-x509-ca-ra-cert\n\n"<binary PKCS#7>
5.2.2. PKCSReq
The OPERATION MUST be set to "PKIOperation".
The MESSAGE consists of a PKCSReq SCEP message. The message is
"base64" encoded as specified in [RFC4648] Section 4. The "base64"
encoded data is distinct from "base64url" and may contain URI
reserved characters, thus it MUST be escaped as specified in
[RFC2396].
An example PKIOperation request might look as follows:
GET /cgi-bin/pkiclient.exe?operation=PKIOperation&message=MIAGCSqGSIb3D
QEHA6CAMIACAQAxgDCBzAIBADB2MGIxETAPBgNVBAcTCE ......AAAAAA== HTTP/1.0
Pritikin, et al. Expires March 10, 2012 [Page 30]
�
Internet-Draft SCEP September 2011
5.2.2.1. PKCSReq Response
The response will have a Content-Type of "application/x-pki-message".
The body of this response consists of a CertRep SCEP message defined
in Section 4.2.1. The following is an example of the response:
"Content-Type:application/x-pki-message\n\n"<binary CertRep msg>
5.2.3. GetCertInitial
The OPERATION MUST be set to "PKIOperation".
The MESSAGE consists of a GetCertInitial SCEP message. The message
is "base64" encoded as specified in [RFC4648] Section 4. The
"base64" encoded data is distinct from "base64url" and may contain
URI reserved characters, thus it MUST be escaped as specified in
[RFC2396].
5.2.3.1. GetCertInitial Response
The body of this response consists of a CertRep SCEP message defined
in Section 4.3.1.
5.2.4. GetCert
The OPERATION MUST be set to "PKIOperation".
The MESSAGE consists of a GetCert SCEP message. The message is
"base64" encoded as specified in [RFC4648] Section 4. The "base64"
encoded data is distinct from "base64url" and may contain URI
reserved characters, thus it MUST be escaped as specified in
[RFC2396].
5.2.4.1. GetCert Response
The body of this response consists of a CertRep SCEP message defined
in Section 4.4.1.
5.2.5. GetCRL
The OPERATION MUST be set to "PKIOperation".
The MESSAGE consists of a GetCRL SCEP message. The message is
"base64" encoded as specified in [RFC4648] Section 4. The "base64"
encoded data is distinct from "base64url" and may contain URI
reserved characters, thus it MUST be escaped as specified in
[RFC2396].
Pritikin, et al. Expires March 10, 2012 [Page 31]
�
Internet-Draft SCEP September 2011
5.2.5.1. GetCRL Response
The body of this response consists of a CertRep SCEP message defined
in Section 4.5.1.
5.2.6. GetNextCACert
The OPERATION MUST be set to "GetNextCACert".
The MESSAGE MAY be ommitted, or it MAY be a string that represents
the certification authority issuer identifier, if such has been set
by the CA Administrator.
5.2.6.1. GetNextCACert Response
The response will have a Content-Type of "application/
x-x509-next-ca-cert".
The body of this response consists of a SignedData PKCS#7 [RFC2315],
as defined in Section 4.6.1. (This is similar to the GetCert
response but does not include any of the attributes defined in
Section 3.1.1.)
"Content-Type:application/x-x509-next-ca-cert\n\n"
<binary PKCS#7>
6. Contributors/Acknowledgements
The editor would like to thank all the previous editors, authors and
contributors: Cheryl Madson, Xiaoyi Liu, David McGrew, David Cooper,
Andy Nourse etc for their work maintaining the draft over the years.
Numerous other people have contributed during the long life cycle of
the draft and all deserve thanks.
The authors would like to thank Peter William of ValiCert, Inc.
(formerly of VeriSign, Inc.) and Alex Deacon of VeriSign, Inc. and
Christopher Welles of IRE, Inc. for their contributions to early
versions of this protocol and this document.
7. IANA Considerations
This memo includes no request to IANA.
8. Security Considerations
The security goals of SCEP are that no adversary can:
Pritikin, et al. Expires March 10, 2012 [Page 32]
�
Internet-Draft SCEP September 2011
o subvert the public key/identity binding from that intended,
o discover the identity information in the enrollment requests and
issued certificates,
o cause the revocation of certificates with any non-negligible
probability.
Here an adversary is any entity other than the requester and the CA
(and optionally the RA) participating in the protocol. The adversary
is computationally limited, but that can manipulate data during
transmission (that is, can act as a man-in-the-middle). The precise
meaning of 'computationally limited' depends on the implementer's
choice of one-way hash functions and cryptographic algorithms.
Reflecting the historical nature of this document the mandatory to
implement algorithms are RSA, DES and MD5. Depending on the CA
capabilities, Triple-DES [TripleDES] SHOULD be used instead of DES,
and SHA-1, SHA-256, or SHA-512 SHOULD be used instead of MD5 (see
Appendix C).
The first and second goals are met through the use of PKCS#7
[RFC2315] and PKCS#10 [RFC2986] encryption and digital signatures
using authenticated public keys. The CA's public key is
authenticated via the checking of the CA fingerprint, as specified in
Section 2.1.2, and the SCEP client's public key is authenticated
through the manual authentication or pre-shared secret
authentication, as specified in Section 2.2. The third goal is met
through the use of a challenge password for revocation, which is
chosen by the SCEP client and communicated to the CA protected by the
PKCS#7 [RFC2315] encryptedData, as specified in Section 2.8.
The motivation of the first security goal is straightforward. The
motivation for the second security goal is to protect the identity
information in the enrollment requests and issued certificates.
Subsequent protocols can use the certificate in ways that either
expose the identity information, or protect it, depending on the
security requirements of those protocols. The motivation for the
third security goal is to protect the SCEP clients from denial of
service attacks.
8.1. General Security
Common key-management considerations such as keeping private keys
truly private and using adequate lengths for symmetric and asymmetric
keys must be followed in order to maintain the security of this
protocol.
This is especially true for CA keys, which, when compromised,
Pritikin, et al. Expires March 10, 2012 [Page 33]
�
Internet-Draft SCEP September 2011
compromise the security of all relying parties.
8.2. Use of the CA keypair
A CA key pair is generally meant for (and is usually flagged as)
certificate signing ("keyCertSign") exclusively, rather than data
signing ("digitalSignature") or data encryption
("dataEnchipherment"). The SCEP protocol, however, uses the CA
private key to both encrypt and sign PKCS#7 [RFC2315] transport
messages. This is generally considered undesirable, as it widens the
possibility of an implementation weakness, and provides
o another place that the private key must be used (and hence is
slightly more vulnerable to exposure),
o another place where a side channel attack (say, timing or power
analysis) might be used,
o another place that the attacker might somehow insert his own text,
and get it signed by the private key.
While the CA key pair can be generated with the data encryption and
data signing flags set, this is operationally not encouraged. It
would make using the key as a PKCS#7 [RFC2315] transport key 'legal',
but the discussion from the previous paragraph still applies.
A solution is to use RA keys to secure the SCEP transport (i.e.
message signing and encrypting), which allows the CA keys to be used
only for their intended purpose of certificate signing.
An RA can be implemented in two ways: physically separate or
implicit. In the implicit case, the CA simply creates an extra key
pair. A physically separate RA allows the CA to be inside the secure
network, not accessible to hackers at all.
8.3. ChallengePassword
The challengePassword sent in the PKCS#10 enrollment request is
signed and encrypted by way of being encapsulated in a pkiMessage.
When saved by the CA, care should be taken to protect this password.
If the challengePassword is used to automatically authenticate an
enrollment request, it is recommended that some form of one-time
password be used to minimize damage in the event the data is
compromised.
Pritikin, et al. Expires March 10, 2012 [Page 34]
�
Internet-Draft SCEP September 2011
8.4. transactionID
A well-written CA/RA SHOULD NOT rely on the transactionID to be
correct or as specified in this document. Requesters with buggy
software might add additional undetected duplicate requests to the
CA's queue (or worse). A well-written CA/RA should never assume the
data from a requester is well-formed.
8.5. Nonces and Replay
In order to detect replay attacks, both sides need to maintain state
information sufficient to detect an unexpected nonce value.
Since existing implementations do not copy the senderNonce from a
CertRep into subsequent GetCertinitial requests, the server will
never see its own nonce reflected back to it. The transactionID can
be used to link together the GetCertInitial and PKCSReq messages.
8.6. Key Usage Issues
Key pairs may be intended for particular purposes, such as encryption
only or signing only. The usage of any associated certificate can be
restricted by adding key usage and extended key usage attributes to
the PKCS#10 [RFC2986]. If key usage is not present, the public key
is assumed to be a general purpose key that may be used for all
purposes.
When building a pkiMessage, clients MUST have a certificate to sign
the PKCS#7 [RFC2315] signed-data (because PKCS#7 [RFC2315] requires
it). Clients MUST either use an existing certificate, or create a
self-signed certificate (see Section 2.3). If the certificate has a
key usage extension in it, then both the SCEP client and SCEP server
MUST ignore the key usage for the duration of the transaction (the
key will be used for signing during the creation of the PKCSReq
message, and for encryption during the creation of the CertRep
message).
8.7. GetCACaps Issues
The GetCACaps response is not signed. This allows an attacker to use
downgrade attacks (as well as "upgrade attacks") on the cryptographic
capabilities of the CA.
8.8. Unnecessary cryptography
Some of the SCEP exchanges use signing and encryption operations that
are not necessary. In particular the GetCert and GetCRL exchanges
are encrypted and signed in both directions. The information
Pritikin, et al. Expires March 10, 2012 [Page 35]
�
Internet-Draft SCEP September 2011
requested is public and thus signing the requests is of questionable
value but also CRLs and Certificates, i.e. the respective responses,
are already signed by the CA and can be verified by the recipient
without requiring additional signing and encryption.
This may affect performance and scalability of the CA and could be
used as an attack vector on the CA (though not an anonymous one).
The use of CDPs is recommended for CRL access, as well as other ways
of retrieving certificates (LDAP, direct HTTP access, etc.).
8.9. GetNextCACert
Servers implementing early versions of the SCEP draft might return an
unsigned GetNextCACert response by erroneously mirroring the
(unsigned) functionality of GetCACert. Client receiving such
responses MUST ignored them.
GetNextCACert depends on a 'flag moment' at which every client in the
PKI infrastructure switches from the current CA certificate (and
client certificate) to the new CA certificate and client
certificates. Proper monitoring of the network infrastructure can
ensure that this will proceed as expected but any errors in
processing or implementation can result in a failure of the PKI
infrastructure.
9. References
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2315] Kaliski, B., "PKCS #7: Cryptographic Message Syntax
Version 1.5", RFC 2315, March 1998.
[RFC2396] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifiers (URI): Generic Syntax", RFC 2396,
August 1998.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object
Classes and Attribute Types Version 2.0", RFC 2985,
November 2000.
Pritikin, et al. Expires March 10, 2012 [Page 36]
�
Internet-Draft SCEP September 2011
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
November 2000.
[RFC4210] Adams, C., Farrell, S., Kause, T., and T. Mononen,
"Internet X.509 Public Key Infrastructure Certificate
Management Protocol (CMP)", RFC 4210, September 2005.
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, October 2006.
[RFC5272] Schaad, J. and M. Myers, "Certificate Management over CMS
(CMC)", RFC 5272, June 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[TripleDES]
"ANSI X9.52-1998, Triple Data Encryption Algorithm Modes
of Operation", 1998.
9.2. Informative References
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange
(IKE)", RFC 2409, November 1998.
[RFC4306] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
RFC 4306, December 2005.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
[RFC4945] Korver, B., "The Internet IP Security PKI Profile of
IKEv1/ISAKMP, IKEv2, and PKIX", RFC 4945, August 2007.
Appendix A. Private OID Definitions
The OIDs used in SCEP are VeriSign self-maintained OIDs.
Pritikin, et al. Expires March 10, 2012 [Page 37]
�
Internet-Draft SCEP September 2011
+-------------------+-----------------------------------------------+
| Name | ASN.1 Definition |
+-------------------+-----------------------------------------------+
| id-VeriSign | OBJECT_IDENTIFIER ::= {2 16 US(840) 1 |
| | VeriSign(113733)} |
| id-pki | OBJECT_IDENTIFIER ::= {id-VeriSign pki(1)} |
| id-attributes | OBJECT_IDENTIFIER ::= {id-pki attributes(9)} |
| id-messageType | OBJECT_IDENTIFIER ::= {id-attributes |
| | messageType(2)} |
| id-pkiStatus | OBJECT_IDENTIFIER ::= {id-attributes |
| | pkiStatus(3)} |
| id-failInfo | OBJECT_IDENTIFIER ::= {id-attributes |
| | failInfo(4)} |
| id-senderNonce | OBJECT_IDENTIFIER ::= {id-attributes |
| | senderNonce(5)} |
| id-recipientNonce | OBJECT_IDENTIFIER ::= {id-attributes |
| | recipientNonce(6)} |
| id-transId | OBJECT_IDENTIFIER ::= {id-attributes |
| | transId(7)} |
| id-extensionReq | OBJECT_IDENTIFIER ::= {id-attributes |
| | extensionReq(8)} |
+-------------------+-----------------------------------------------+
Appendix B. SCEP State Transitions
SCEP state transitions are indexed by the transactionID attribute.
The design goal is to ensure the synchronization between the CA and
the requester under various error situations.
Each enrollment transaction is uniquely associated with a transaction
identifier (carried in the transactionID signed attribute (see
Section 3.1.1.1). Because the enrollment transaction could be
interrupted by various errors, including network connection errors or
client reboot, the SCEP client generates a transaction identifier by
calculating a hash on the public key value for which the enrollment
is requested. The requester generates the transaction identifier
which is included in PKCSReq. If the CA returns a response of
PENDING, the requester will poll by periodically sending out
GetCertInitial with the same transaction identifier until either a
response other than PENDING is obtained, or the configured maximum
time has elapsed. This mechanism retains the same transaction
identifier throughout the enrollment transaction.
If the client times out or the client reboots, the client
administrator will start another enrollment transaction with the same
key pair. The second enrollment will have the same transaction
identifier. At the server side, instead of accepting the PKCSReq as
Pritikin, et al. Expires March 10, 2012 [Page 38]
�
Internet-Draft SCEP September 2011
a new enrollment request, it can respond as if another GetCertInitial
message had been sent with that transaction ID. The second PKCSReq
should be taken as a resynchronization message to allow the
enrollment to resume as the same transaction.
The following gives several examples of client to CA transactions.
Client actions are indicated in the left column, CA actions are
indicated in the right column. A blank action signifies that no
message was received.
The first transaction, for example, would read like this:
"Client Sends PKCSReq message with transaction ID 1 to the CA. The
CA signs the certificate and constructs a CertRep Message containing
the signed certificate with a transaction ID 1. The client receives
the message and installs the certificate locally."
Successful Enrollment Case: no manual authentication
PKCSReq (1) ----------> CA Signs Cert
Client Installs Cert <---------- CertRep (1) SIGNED CERT
Successful Enrollment Case: manual authentication required
PKCSReq (10) ----------> Cert Request goes into Queue
Client Polls <---------- CertRep (10) PENDING
GetCertInitial (10) ----------> Still pending
Client Polls <---------- CertRep (10) PENDING
GetCertInitial (10) ----------> Still pending
Client Polls <---------- CertRep (10) PENDING
GetCertInitial (10) ----------> Still pending
Client Polls <---------- CertRep (10) PENDING
GetCertInitial (10) ----------> Cert has been signed
<---------- CertRep (10) SIGNED CERT
Client Installs Cert
Resync Case 1 - CA Receives PKCSReq, sends PENDING, eventually grants
the certificate and returns SUCCESS, with the certificate. The
SUCCESS gets lost:
PKCSReq (3) ----------> Cert Request goes into queue
<---------- CertRep (3) PENDING
GetCertInitial (3) ----------> Still pending
<---------- CertRep (3) PENDING
GetCertInitial (3) -----------> Cert has been signed
X-------- CertRep(3) SIGNED CERT
(Time Out)
PKCSReq (3) ----------> Cert already granted
<---------- CertRep (3) SIGNED CERT
Client Installs Cert
Pritikin, et al. Expires March 10, 2012 [Page 39]
�
Internet-Draft SCEP September 2011
Resync Case 2 - CA Receives PKCSReq, sends PENDING, PENDING reply
gets lost:
PKCSReq (3) ----------> Cert Request goes into queue
X-------- CertRep (3) PENDING
(Time Out)
PKCSReq (3) ---------->
<---------- CertRep (3) PENDING
etc...
Case when the Certificate is lost, the CA arbitrarily refuses to sign
a replacement (enforcing name-uniqueness) until the original
certificate has been revoked (there is no change of name
information):
PKCSReq (4) ----------> CA Signs Cert
<---------- CertRep (4) SIGNED CERT
Client Installs Cert
(Client looses Cert)
PKCSReq (5) ----------> There is already a valid cert with
this DN.
<---------- CertRep (5) BAD REQUEST
Admin Revokes
PKCSReq (5) ----------> CA Signs Cert
<---------- CertRep (5) SIGNED CERT
Client Installs Cert
Appendix C. CA Capabilities
C.1. GetCACaps HTTP Message Format
"GET" CGI-PATH CGI-PROG "?operation=GetCACaps" "&message=" CA-IDENT
This message requests capabilities from CA. The response is a list
of text capabilities, as defined in Appendix C.2. CA servers SHOULD
support the GetCACaps message and MUST support it when they support
certificate renewal using the method described in Appendix D.
C.2. CA Capabilities Response Format
The response for a GetCACaps message is a list of CA capabilities, in
plain text, separated by <LF> characters, as follows (quotation marks
are NOT sent):
Pritikin, et al. Expires March 10, 2012 [Page 40]
�
Internet-Draft SCEP September 2011
+--------------------+----------------------------------------------+
| Keyword | Description |
+--------------------+----------------------------------------------+
| "GetNextCACert" | CA Supports the GetNextCACert message. |
| "POSTPKIOperation" | PKIOPeration messages may be sent via HTTP |
| | POST. |
| "Renewal" | Clients may use current certificate and key |
| | to authenticate an enrollment request for a |
| | new certificate. |
| "SHA-512" | CA Supports the SHA-512 hashing algorithm. |
| "SHA-256" | CA Supports the SHA-256 hashing algorithm. |
| "SHA-1" | CA Supports the SHA-1 hashing algorithm. |
| "DES3" | CA Supports the Triple-DES encryption |
| | algorithm. |
+--------------------+----------------------------------------------+
The client SHOULD use SHA-1, SHA-256, or SHA-512 in preference to MD5
hashing if it is supported by the CA.
The server MUST use the texual case specified here, but clients
SHOULD ignore the textual case when processing this message. A
client MUST be able to accept and ignore any unknown keywords that
might be sent back by a CA.
If the CA supports none of the above capabilities the SCEP server
SHOULD return an empty message. A server MAY simply return an HTTP
Error. A client that receives an empty message or an HTTP error
SHOULD interpret the response as if none of the requested
capabilities are supported by the CA.
The Content-type of the reply SHOULD be "text/plain". Clients SHOULD
ignore the Content-type, as older server implementations of SCEP may
send various Content-types.
Example:
GET /cgi-bin/pkiclient.exe?operation=GetCACaps&message=myca
might return:
GetNextCACert<LF>POSTPKIOperation
This means that the CA supports the GetNextCACert message and allows
PKIOperation messages (PKCSreq, GetCert, GetCertInitial, ...) to be
sent using HTTP POST.
Appendix D. Client Certificate Renewal
An enrollment request that occurs more than halfway through the
Pritikin, et al. Expires March 10, 2012 [Page 41]
�
Internet-Draft SCEP September 2011
validity period of an existing certificate for the same subject name
and key usage MAY be interpreted as a re-enrollment or renewal
request and be accepted. A new certificate with new validity dates
can be issued, even though the old one is still valid, if the CA
policy permits. The server MAY automatically revoke the old client
certificate. Clients MUST use GetCACaps (see Appendix C) to
determine if the CA supports renewal. Clients MUST support servers
that do not implement renewal, or that reject renewal requests.
To renew a client certificate, the client uses the PKCSreq message
and signs it with the existing client certificate. The client SHOULD
use a new keypair when requesting a new certificate. The client MAY
request a new certicate using the old keypair.
Appendix E. CA Key Rollover
When the CA certificate expires all certificates that have been
signed by it are no longer valid. CA key rollover provides a
mechanism by which the server MAY distribute a new CA certificate
which is valid in the future; when the current certificate has
expired. Clients MUST use GetCACaps (see Appendix C) to determine if
the CA supports GetNextCACert.
To obtain the new CA certificate prior to the expiration of the
current one, the client uses the GetNextCACert message.
To obtain a new client certificate signed by the new CA certificate,
use the new CA or RA certificate in the PKCSreq message envelope.
Clients MUST store the not-yet-valid CA certificate, and any not-yet-
valid client certificates obitained, until such time that they are
valid. At which point clients switch over to using the newly valid
certificates.
Example:
GetNextCACert ---------->
<---------- New CA certificate
PKCSReq* ----------> CA Signs certificate with NEW key
Client Stores Cert <---------- CertRep - Certificate issued
for installation when from NEW CA certificate and key pair
existing cert expires.
*enveloped for new CA or RA cert and key pair. The CA will use the
envelope to determine which key and certificate to use to issue the
client certificate.
Pritikin, et al. Expires March 10, 2012 [Page 42]
�
Internet-Draft SCEP September 2011
Appendix F. PKIOperation via HTTP POST Message
If the remote CA supports it, any of the PKCS#7 [RFC2315]-encoded
SCEP messages may be sent via HTTP POST instead of HTTP GET. This is
allowed for any SCEP message except GetCACert, GetNextCACert, or
GetCACaps. In this form of the message, base64 encoding is not used.
POST /cgi-bin/pkiclient.exe?operation=PKIOperation HTTP/1.0
Content-Length: <length of data>
<binary PKCS#7 data>
General POST Syntax
The client can verify that the CA supports SCEP messages via POST by
looking for the "POSTPKIOperation" capability (See Appendix C).
Authors' Addresses
Max Pritikin (editor)
Cisco Systems, Inc
Email: pritikin@cisco.com
Andrew Nourse
Cisco Systems, Inc
Email: nourse@cisco.com
Jan Vilhuber
Cisco Systems, Inc
Email: vilhuber@cisco.com
Pritikin, et al. Expires March 10, 2012 [Page 43]
�
