Install SCEP certificate on Linux

Configuring SCEP certificate on a Linux machine

🚧

Work in Progress: Document under development, not final.

  1. Install 'certmonger'

Certmonger is a certificate manager package. Open a Linux terminal and type the following command
sudo apt install certmonger

  1. Add the foxpass server certificate to the filesystem

    sudo openssl s_client -showcerts -connect api.foxpass.com:443 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' | sudo tee /etc/ssl/api_foxpass_com.crt >/dev/null

  2. Add the client CA certificate to the filesystem

    SCEP unique endpoint can be found on the SCEP page. Obtain the CA certificate from the EAP-TLS page and save it to /etc/ssl/api_foxpass_com_ca.crtby using the following command:

    sudo /usr/lib/certmonger/scep-submit -u [https://api.foxpass.com/scep/<unique-id>](https://api.foxpass.com/scep/<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt -C > /etc/ssl/api_foxpass_com_ca.crt

  3. Tell certmonger about the certificate

    sudo getcert add-scep-ca -c foxpass -u [https://api.foxpass.com/<unique-id>](https://api.foxpass.com/<SCEP-UNIQUE-ENDPOINT>) -R /etc/ssl/api_foxpass_com.crt [-r /etc/ssl/api_foxpass_com_ca.crt] -N /etc/ssl/api_foxpass_com_ca.crt

  4. Create the private key and request the signed certificate using a PIN you choose

    sudo getcert request -k <private key file> -f <public key file> -c foxpass -N $(hostname) -E <EMAIL> -w -L <Challenge Phrase> -m 600 -P <PIN>

  5. Add the SSID to the network (Optional - can be entered manually via GUI)

nmcli c add type wifi ifname <wifi NIC> con-name '<Name>'\
802-11-wireless.ssid '<SSID>' \
802-11-wireless-security.key-mgmt wpa-eap \
802-1x.eap tls \
802-1x.identity '<' \
802-1x.ca-cert /etc/ssl/api_foxpass_com_ca.crt \
802-1x.client-cert <public key file> \
802-1x.private-key <private key file> \
802-1x.private-key-password <PIN>
  1. Tips

  1. Make sure you have necessary permissions for the api_foxpass_com.crt file.
  2. If you run in error like verify error:num=20:unable to get local issuer certificatein Step 3, make sure you have updated certificate authorities on your linux system. If not you can update the package and CA certificates:
    1. sudo apt update
    2. sudo apt install ca-certificates
    3. sudo update-ca-certificates
  3. If you don't want the private key to have a password then you can remove the 802-1x.private-key-password <PIN> and add this parameter instead.
    1. 802-1x.private-key-password-flags 4