System information

ManualsBrandsAXIOMTEK ManualsComputer AccessoriesDSA-132 Series

121

122

123

124

125

126

127

128

129

130

Manual:System/Certificates

122

SCEP is using HTTP protocol and base64 encoded GET requests. Most of requests are without authentication and

cipher, however important ones can be protected if necessary (ciphered or signed using received public key).

SCEP client in RouterOS will:

•• get CA certificate from CA server or RA (if used);

•• user should compare fingerprint of the CA certificate or if it comes from the right server;

•• generate self-signed certificate with temporary key;

•• sends certificate request to the server;

• if server respond with status x, then client keeps requesting until server sends an error or approval.

SCEP server supports issue of one certificate only. RouterOS supports also renew and next-ca options:

• renew - possibility to renew old certificate automatically with the same CA.

• next-ca - possibility to change current CA certificate to the new one. Client polls the server for any changes, if

server advertise that next-ca is available, then client may request next CA or wait until CA almost expires and

then request next-ca.

RouterOS Server also supports POST' operation, 3DES cipher and SHA1 hashing. If client does not support these

features then http GET, DES cipher and MD5 hashing is used.

RouterOS client by default will try to use POST, 3DES and SHA1 if server advertises that.

Client

Sub-menu: /certificate scep client

Properties

Property Description

ca-identity (string; Default:

DummyCAIdentity)

challenge-password (string; Default: "") OTP password on the server used to grant certificate automatically after request.

common-name (string; Default: )

country (string; Default: )

disabled (yes | no; Default: no)

email (string; Default: )

fingerprint-algorithm (md5 | sha1;

Default: sha1)

key-bits (1024 | 2048 | 4096; Default: 1024)

locality (string; Default: )

name (string; Default: ) Short descriptive name of an item

organziation (string; Default: )

path (string; Default: ) Path of certificate located on the server. If server is RouterOS then you should add "scep/"+path

since certificates on server are stored in "scep" dir.

serial-number (string; Default: )

server (IP | IPv6; Default: ) IP or IPv6 address of the SCEP server

state (string; Default: )

store-name (string; Default: ) Name of the certificate which will be used after importing into certificate store.

unit (string; Default: )