Requesting Endpoint Certificates Using SCEP (Enterprise)¶
Simple Certificate Enrollment Protocol (SCEP) lets you simplify the retrieval and installation of digital certificates by enabling devices to obtain certificates automatically from a SCEP server. Management Console supports SCEP requests for different certificates on client and host endpoints. Administrators of Management Console Enterprise can reference SCEP issued certificate information from the dashboard and may now see certificate status of NOT APPLICABLE or NOT REQUESTED from the ENDPOINTS page when the certificate status column is displayed.
SCEP requested certificate information can be viewed from the Dashboard, ENDPOINTS, and ENDPOINT CERTIFICATES pages.
This topic covers creating, viewing, editing and deleting a certificate rule, and how to initiate a certificate request using SCEP.
Upgrading to firmware 21.07
For deployments using SCEP issued certificates, Management Console must be upgraded to version 21.07 or newer prior to upgrading firmware 21.07.
Conditions for Certificate Requests using SCEP¶
The following conditions apply when performing a certificate request using SCEP:
-
See Obtaining Certificates Using SCEP for complete information on SCEP behaviors.
-
SCEP certificate renewal requests occur sequentially in 1 hour intervals when the renewal setting has been reached. The first request must successfully complete before renewal of the next certificate is initiated. If unsuccessful, the renewal request for the first certificate is attempted again. Administrators should periodically review the validity period of the SCEP certificates to ensure that renewals were successful and the certificates do not expire.
-
The PCoIP endpoint must have NTP properly configured.
-
The renewal period must be less than the validity period of the certificate.
-
A certificate usage can be used once in a rule per group
-
A group can only be associated with one certificate rule
-
Management Console will display information for one certificate on the ENDPOINT DETAILS page. You can review all certificates for an endpoint by reviewing the rules created on the ENDPOINTS CERTIFICATE page that apply to your endpoint's group.
-
Remote Workstation Cards must be running firmware 21.07 or newer
-
Zero Clients running firmware prior to 21.07:
-
Request 802.1x usage certificates only. Rules including Administrative Web Interface usage certificates will not initiate the AWI certificate request but will initiate an included 802.1X certificate request.
-
The Request Certificate button will not activate if the rule is only for AWI certificate usage and will display NOT APPLICABLE in the ENDPOINT page certificate status column.
-
-
Endpoints running firmware 21.07 or newer:
-
Users can request all certificate usages available for that version of firmware
-
Initially the status will show NOT REQUESTED on the ENDPOINTS page
-
Users will have the information of only one certificate on the ENDPOINT DETAILS and ENDPOINTS pages after completion of the request even if multiple certificates are requested.
-
Certificate status for SCEP certificate request times
The certificate status will update after the SCEP requests complete which usually takes between 5 to 20 minutes.
SCEP Requested Certificate Usages¶
Certificate requests using SCEP are available for the following certificate uses:
-
802.1X: Allows you to use SCEP to request a custom certificate to authenticate PCoIP endpoints in your 802.1x configuration.
-
Administrators Web Interface (AWI): Allows you to use SCEP to request a custom certificate to access the Administrative Web Interface (AWI).
-
Peer-to-peer Max Compatibility: Allows you to use SCEP to automatically request a custom certificate that allows secure negotiation using any of the common cipher suites to offer flexibility for your network security requirements.
-
Peer-to-peer Suite B: Used in environments requiring Suite B cryptography. Allows you to use SCEP to automatically request a custom certificate offering the greatest security for negotiating session connections with a PCoIP endpoint.
-
Syslog TCP/TLS: Certificates used to ensure a secure connection to your Syslog server.
Select the Syslog Connection Type according to your security policies. If using Syslog TCP/TLS secure connections to your Syslog server, enable the Syslog Enable Metadata setting to tag every syslog entry with the PCoIP Device Name and Generic Tag. Add the client certificate for TCP with TLS syslog connections that require Mutual Authentication (Server and Client). See Syslog TCP/TLS Authentication in the Uploading Certificates topic of the Zero Client Administrators' Guide.
Tip: Organize endpoints into groups
Before you create an endpoint certificate, organize your endpoints into groups. See Organizing Endpoints into Groups.
SCEP Feature Support Matrix¶
SCEP Issued Certificate Improvements | Management Console Version | Zero Client Firmware | Remote Workstation Card Firmware |
---|---|---|---|
802.1X certificate usage | All Versions | All Versions | 21.07+ |
AWI Interface certificate usage | 21.07+ | 21.07+ | 21.07+ |
Peer-to-peer Max Compatibility certificate usage | 22.04+ | 22.01+ | 22.01+ |
Peer-to-peer Suite B certificate usage | 22.04+ | 22.01+ | 22.01+ |
Automatic Renewal Period feature addition | 22.04+ | 22.01+ | 22.01+ |
Syslog TCP/TLS certificate usage | 22.07+ | 22.07+ | 22.07+ |
To create an endpoint certificate rule¶
-
Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.
-
Click NEW CERTIFICATE RULE.
-
In the Groups field, click ADD to add a group that was set up on the ENDPOINTS page. If required, you can remove a group by highlighting it and clicking REMOVE.
-
From the Request 1 tab, select the Certificate Usage.
-
In the Server URI, field, type the Uniform Resource Identifier (URI) of the SCEP server that is configured to issue certificates for the group.
-
In the Server Password field, type the password for the SCEP server.
-
In the CA Identifier field, type the certification authority issuer identifier if your SCEP server requires it (the CA Identifier is supported for devices running firmware 5.4 or later). A CA Identifier is any string that is understood by the SCEP server (for example, a domain name).
-
Enter the Auto Renewal period in days. The default value is 0 (disabled).
-
Click + icon beside the Request 1 tab to add a different certificate usage request per rule.
-
Click SAVE.
You can add an additional SCEP request by selecting the plus tab. When all the different certificate usages are configured, the plus tab no longer appears.
To view an endpoint certificate rule¶
-
Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.
-
Highlight the certificate rule you would like to edit or review rule details and click the View button.
From the view rule window, you can use the Next or Prev (previous) buttons to browse your rules while looking at the details of each rule. In deployments with many rules, you can jump to a rule using one of the drop down menus that display the first group of the groups used in each rule.
To edit an endpoint certificate rule¶
-
Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.
-
Highlight the certificate rule you would like to edit.
-
Click EDIT to revise an endpoint certificate rule.
-
Click Save after you are finished making your edits.
To delete an endpoint certificate rule¶
-
Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.
-
Highlight a certificate rule that you want to delete.
-
Click DELETE.
-
Confirm your deletion by clicking DELETE in the DELETE CERTIFICATE RULE dialog box.
Deleting SCEP certificate rules
You can also delete a SCEP certificate rule using the DELETE button while editing or creating a rule.
Initiating a Certificate Request¶
Prior to requesting a certificate, a certificate rule for your endpoint must exist. If your endpoint is not part of a group the rule is applied to, the request certificate button will be deactivated.
You can use Management Console to request certificates for endpoints in 4 ways.
-
Using the ENDPOINTS page
-
From the dashboard click ENDPOINTS.
-
Highlight your endpoint or group of endpoints, and click ENDPOINTS > REQUEST CERTIFICATES.
-
-
Using the Endpoints details page
-
From the dashboard click ENDPOINTS.
-
Highlight your endpoint and click ENDPOINTS > DETAILS.
-
Click ENDPOINTS > REQUEST CERTIFICATES.
-
-
Create a schedule
-
From the dashboard click SCHEDULE.
-
Select NEW SCHEDULE.
-
Select the Request Certificate type and all other schedule requirements for your schedule.
-
Click Save. The request will initiate at the set scheduled time.
See Managing Schedules for further details creating schedules.
-
-
Create an auto configuration rule
-
From the dashboard click AUTO CONFIGURATION.
-
Click NEW RULE.
-
Ensure the Request Certificate checkbox is selected and configure all other values required for your auto configuration.
-
Click Save.
See Auto Configuring Endpoints for further details creating auto configuration rules.
-