Install SCEP certificate on Linux

Configuring SCEP certificate on a Linux machine


Work in Progress: Document under development, not final.

  1. Install 'certmonger'

Certmonger is a certificate manager package. Open a Linux terminal and type the following command
sudo apt install certmonger

  1. Add the foxpass server certificate to the filesystem

    sudo openssl s_client -showcerts -connect </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' | sudo tee /etc/ssl/api_foxpass_com.crt >/dev/null

  2. Add the client CA certificate to the filesystem

    SCEP unique endpoint can be found on the SCEP page. Obtain the CA certificate from the SCEP server and save it to /etc/ssl/api_foxpass_com_ca.crtby using the following command:

    sudo /usr/lib/certmonger/scep-submit -u [<unique-id>](<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt -C > /etc/ssl/api_foxpass_com_ca.crt

  3. Tell certmonger about the certificate

    getcert add-scep-ca -c foxpass -u [<unique-id>](<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt -r /etc/ssl/api_foxpass_com_ca.crt

  4. Create the private key and request the signed certificate using a PIN you choose

    getcert request -k <private key file> -f <public key file> -c foxpass -N $(hostname) -E <EMAIL> -w -L <Challenge Phrase> -m 600 -P <PIN> -u <SCEP-URL>

  5. Add the SSID to the network (Optional - can be entered manually via GUI)

nmcli c add type wifi ifname <wifi NIC> con-name '<Name>'\
802-11-wireless.ssid '<SSID>' \
802-11-wireless-security.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity '<' \ /etc/ssl/api_foxpass_com_ca.crt \
802-1x.client-cert <public key file> \
802-1x.private-key <private key file> \
802-1x.private-key-password <PIN>
  1. Tips

  1. Make sure you have necessary permissions for the file.
  2. If you run in error like verify error:num=20:unable to get local issuer certificatein Step 3, make sure you have updated certificate authorities on your linux system. If not you can update the package and CA certificates:
    1. sudo apt update
    2. sudo apt install ca-certificates
    3. sudo update-ca-certificates