Skip to main content

Sample SCEP implementation

This sample shows a SCEP implementation using SSCEP on macOS.

Prerequisites:

  • A SCEP profile in your DigiCert® Private CA

  • SSCEP (Simple SCEP) client on macOS

  • OpenSSL

Initial setup:

  1. Unzip sscep-mac.zip.

  2. Run chmod +x sscep.

  3. Move the binary to /usr/local/bin/.

  4. Install OpenSSL 3 using Homebrew.

Enroll a client certificate

Enroll a new client certificate using the SCEP protocol and the created profile.

STEP 1: Prepare a certificate signing request (CSR)

Generate a private key and CSR using OpenSSL:

openssl req -new -newkey rsa:2048 -nodes \
  -keyout client.key \
  -out client.csr \
  -subj "/CN=device.example.com"

STEP 2: Run the enrollment command

Replace the placeholders with your actual values:

sscep enroll \
  -u https://<ca-server>/certificate-authority/api/v1/scep/<ProfileID>/cgi-bin/pkiclient.exe \
  -k client.key \
  -r client.csr \
  -l device.crt \
  -c issuer.pem \
  -S sha1

Where:

  • -u is the SCEP URL generated from the SCEP profile in your private CA.

  • -k is the private key file required for your CSR.

  • -r is the CSR file which contains your certificate signing request.

  • -l is the placeholder for the output file. This is where you'll find the issued client certificate when the request is completed.

  • -c is the issuer certificate file (your private root CA or an intermediate CA). This certificate is necessary for the SCEP client to trust and securely communicate with the SCEP server (the server where your private CA is installed) during the enrollment process.

  • -S is the algorithm type.

Re-enroll a client certificate

Renew an existing client certificate using the SCEP protocol.

STEP 1: Gather the prerequisites

  • The private key used for the original certificate.

  • The existing client certificate that you're renewing.

  • The issuing CA certificate.

STEP 2: Run the re-enrollment command

sscep enroll -d \
  -u https://<ca-server>/certificate-authority/api/v1/scep/<ProfileID>/cgi-bin/pkiclient.exe \
  -k client.key \
  -K client.key \
  -O device.crt \
  -r client.csr \
  -l renewed.crt \
  -c issuer.pem \
  -S sha1

Where:

  • -u is the SCEP URL generated from the SCEP profile in your private CA.

  • -k is the private key file for the original CSR when the certificate was previously enrolled.

  • -K is the private key file for current renewal. It is the same as -k if you're re-enrolling with the same CSR.

  • -O is the current certificate file that's getting renewed.

  • -r is the CSR file which contains your certificate signing request.

  • -l is the placeholder for the output file. This is where you'll find the renewed or re-enrolled client certificate when the request is completed.

  • -c is the issuer certificate file (your private root CA or an intermediate CA). This certificate is necessary for the SCEP client to trust and securely communicate with the SCEP server (the server where your private CA is installed) during the enrollment process.

In this section: