Extended SCEP certificate request

Note:

Use this function to configure the SCEP agent with additional attributes that are not included with the scep.ini file.

The certificate request is created from the values in the scep.ini file and is available on the device in the file /setup/scep/clientreq.conf.in. This file is installed with SCEP as a template and contains the following entries by default:

[req]
prompt=no
distinguished_name=req_distinguished_name
string_mask=nombstr
attributes=req_attributes

[req_attributes]
challengePassword=__CHALLENGEPASSWORD__

[req_distinguished_name]
C=__COUNTRY__
ST=__STATE__
L=__LOCALITY__
O=__ORGANIZATION__
OU=__OU__
1.OU=__OU1__
2.OU=__OU2__
3.OU=__OU3__
4.OU=__OU4__
5.OU=__OU5__
6.OU=__OU6__
CN=__CN__

[__X509V3__]
subjectAltName=critical,__CNTYPE__:__ALTNAME__
 

The fields marked with underscores are parameters and are replaced by the relevant values in scep.ini.

If the attributes provided in the scep.ini are sufficient for your purposes, there is no need to edit the clientreq.conf.in file.

Extending certificate request with additional attributes

1. Retrieve the /setup/scep/clientreq.conf.in file installed with SCEP from a device, for example by using the Diagnostics feature.
2. Edit the file. Add any other openSSL sections and attributes. For further information, see https://www.openssl.org/docs/man1.0.2/man1/openssl-req.html
3. Transfer the file to the relevant devices under /setup/scep/clientreq.conf.in by using the Scout feature Files configured for transfer.

This file – not the scep.ini – is the source for the certificate request. Only delete fields that you do not need!.