Reference Guide
Parameter Description
ScepAutoEnroll={yes, no}
AutoRenew={yes, no}
InstallCACert={yes, no}
[CountryName=country]
[State=state]
[Locality=locality]
[Organization=organization_name]
[OrganizationUnit=organization_unit]
[CommonName=common_name]
[Email=email_address]
[KeyUsage=key_usage]
[KeyLength={1024, 2048, 4096}]
[subAltName=subject_alt_name_list]
[RequestURL=scep_request_url]
[CACertHashType={MD5, SHA1, SHA256}]
[CACertHash=CA_HASH_VALUE]
[EnrollPwd=enrollment_password]
[EnrollPwdEnc=encrypted_enrollment_password]
[ScepAdminUrl=scep_administrator_page_url]
[ScepUser=scep_enrollment_user]
[ScepUserDomain=scep_enrollment_user_domain
]
[ScepUserPwd=scep_enrollment_user_password]
[ScepUserPwdEnc=encrypted_scep_enrollment_
user_password]
This option is to allow client automatically get certificates and renew certificates
using SCEP protocol.
ScepAutoEnroll—Set this keyword to yes to enable client's functionality to
automatically obtain certificate.
Set AutoRenew—Set this keyword to yes to enable certificate auto renew. Client
only tries to renew certificates requested either manually or automatically through
SCEP from this client, and the renewal is performed only after a certificate's 1/2
valid period has passed.
Set InstallCACert—Set this keyword to yes to install the root CA's certificate as
trusted certificate after successfully getting a client certificate.
CountryName, State, Locality, Organization, OrganizationUnit,
CommonName, Email—These keywords together compose the subject identity of
the requested client certificate. Country Name should be two letter in uppercase,
other fields are printable strings with a length shorter than 64 bytes, and
email_address should have a '@' in it. At least one of the above fields must be
configured correctly to form the client certificate's subject identity.
KeyUsage —This option is to specify key usage of the client certificate and should
be set to a digitalSignature, keyEncipherment or both using a ';' concatenating these
two as digitalSignature;keyEncipherment.
KeyLength—This option is to specify the key length of the client certificate in bits,
must one of the value in the list.
subAltName—This option is to specify the client certificate's subject alternative
names. It is a sequenced list of name elements, and every element is either a DNS
name or an IP address. Use ';' as delimiter between them.
RequestURL—The RequestURL option is to specify the SCEP server service
URL. This field must be set correctly. The default protocol for SCEP services is
HTTP, which also ensures data security. You can also add the prefix
https:// if
SCEP service is deployed on HTTPS in your environment.
CACertHashType—CACertHashType is used to verify the authenticity of the
certificate authority. This option must be set to MD5, SHA1, or SHA256.
CACertHash—This is the hash value used to verify certificate authority's
certificate. Client will not issue a certificate request to a SCEP server and cannot
pass certificate chain checking through a valid certificate authority.
EnrollPwd or EnrollPwdEnc—These keywords are used to set the enrollment
password from a SCEP administrator.
EnrollPwd is the plain-text enrollment password and EnrollPwdEnc is the
encrypted form of the same enrollment password. Use only one of these two fields
to set the used enrollment password.
As a substitute of using EnrollPwd or EnrollPwdEnc to directly specify an enrollment
password, client allows using a SCEP administrator's credential to automatically get
an enrollment password from a Windows SCEP server. In this case, the
ScepUser,
ScepUserDomain, ScepUserPwd (or ScepUserPwdEnc, in encrypted form
instead of plan-text) are used to specify the SCEP administrator's credential, and
ScepAdminUrl must be set correctly to specify the corresponding SCEP admin web
page's URL. If neither EnrollPwd nor EnrollPwdEnc is set, client will try to use these
set of settings to automatically get an enrollment password and then use that
password to request a certificate. If communication security is necessary in your
environment during this phase, please add https:// as the prefix for ScepAdminUrl
to use HTTPS instead of the default HTTP protocol.
Use ScepAutoEnroll=no AutoRenew=yes to only enable SCEP auto renew; all other
parameters are not needed if ScepAutoEnroll is set to no.
NOTE:
SCEP server’s URL must be an HTTP or HTTPS link. Do not add
protocol prefix to RequestURL and ScepAdminURL.
34 Parameters for wnos INI files only