Linux Manual Configuration

Configuring SCEP certificate on a Linux machine

🚧

Work in Progress: Document under development, not final.

  1. Install 'certmonger'

Certmonger is a certificate manager package. Open a Linux terminal and type the following command
sudo apt install certmonger

  1. Add the foxpass server certificate to the filesystem

  • Get foxpass certificate from https://console.foxpass.com/settings/eap-tls/ which will be under Server Certificate Authorities (Note: get the cert which is signed by the "active" CA).
  • Place it and name it appropriately in the following path: /etc/ssl/api_foxpass_com.crt
  1. Add the client CA certificate to the filesystem

SCEP unique endpoint can be found on the SCEP page. Obtain the CA certificate from the EAP-TLS page and save it to /etc/ssl/api_foxpass_com_ca.crtby using the following command:

sudo /usr/lib/certmonger/scep-submit -u [https://api.foxpass.com/scep/<unique-id>](https://api.foxpass.com/scep/<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt -C > /etc/ssl/api_foxpass_com_ca.crt

  1. Tell certmonger about the certificate

sudo getcert add-scep-ca -c foxpass -u [https://api.foxpass.com/<unique-id>](https://api.foxpass.com/<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt [-r /etc/ssl/api_foxpass_com_ca.crt] -N /etc/ssl/api_foxpass_com_ca.crt

  1. Create the private key and request the signed certificate using a PIN you choose

sudo getcert request -k <private key file> -f <public key file> -c foxpass -N $(hostname) -E <EMAIL> -w -L <Challenge Phrase> -m 600 -P <PIN>

  1. Add the SSID to the network (Optional - can be entered manually via GUI)

nmcli c add type wifi ifname <wifi NIC> con-name '<Name>'\
802-11-wireless.ssid '<SSID>' \
802-11-wireless-security.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity '<' \
802-1x.ca-cert /etc/ssl/api_foxpass_com_ca.crt \
802-1x.client-cert <public key file> \
802-1x.private-key <private key file> \
802-1x.private-key-password <PIN>
  1. Tips

  • Make sure you have necessary permissions for the api_foxpass_com.crt file.
  • If you run in error like verify error:num=20:unable to get local issuer certificatein Step 3, make sure you have updated certificate authorities on your linux system. If not you can update the package and CA certificates:
  1. sudo apt update
  2. sudo apt install ca-certificates
  3. sudo update-ca-certificates
  • If you don't want the private key to have a password then you can remove the 802-1x.private-key-password <PIN> and add this parameter instead.
  1. 802-1x.private-key-password-flags 4