Administrator Guide
Parameter Description
[Locality= locality]
[Organization = organization_name]
[OrganizationUnit = organization_unit]
[CommonName = common_name]
[Email = email_address]
KeyUsage = kay_usage
KeyLength = {1024, 2048, 4096 }
[subAltName = subject_alt_name_list]
RequestURL = scep_request_url
CACertHashType = { MD5, SHA1, SHA256 }
CACertHash = CA_HASH_VALUE
[EnrollPwd = enrollment_password]
[EnrollPwdEnc = encrypted_enrollment_password]
[ScepAdminUrl = scep_administrator_page_url]
[ScepUser = scep_enrollment_user]
[ScepUserDomain = scep_enrollment_user_domain]
[ScepUserPwd = scep_enrollment_user_password]
[ScepUserPwdEnc =
encrypted_scep_enrollment_user_password]
Set
InstallCACert—Set this keyword to yes to install the root CA's
certicate as trusted certicate after successfully getting a client
certicate.
CountryName, State, Locality, Organization, OrganizationUnit,
CommonName, Email—These keywords together compose the subject
identity of the requested client certicate. Country Name should be two
letter in uppercase, other elds are printable strings with a length shorter
than 64 bytes, and email_address should have a '@' in it. At least one of
the above elds must be congured correctly to form the client
certicate's subject identity.
KeyUsage —This option is to specify key usage of the client certicate
and should be set to a digitalSignature, keyEncipherment or both using a
';' concatenating these two as digitalSignature;keyEncipherment.
KeyLength—This option is to specify the key length of the client
certicate in bits, must one of the value in the list.
subAltName—This option is to specify the client certicate's subject
alternative names. It is a sequenced list of name elements, and every
element is either a DNS name or an IP address. Use ';' as delimiter
between them.
RequestURL—The RequestURL option is to specify the SCEP server
service URL. This eld must be set correctly. The default protocol for
SCEP services is HTTP, which also ensures data security. You can also
add the prex https:// if SCEP service is deployed on HTTPS in your
environment.
CACertHashType—CACertHashType is the hash type used to verify
certicate authority's certicate, should be set to MD5, SHA1 or SHA256.
CACertHash—This is the hash value used to verify certicate authority's
certicate. Client will not issue a certicate request to a SCEP server and
cannot pass certicate chain checking through a valid certicate
authority.
EnrollPwd or EnrollPwdEnc—These keywords are used to set the
enrollment password from a SCEP administrator.
EnrollPwd is the plain-text enrollment password and EnrollPwdEnc is the
encrypted form of the same enrollment password. Use only one of these
two elds to set the used enrollment password.
As a substitute of using EnrollPwd or EnrollPwdEnc to directly specify an
enrollment password, client allows using a SCEP administrator's credential
to automatically get an enrollment password from a Windows SCEP
server. In this case, the ScepUser, ScepUserDomain, ScepUserPwd (or
ScepUserPwdEnc, in encrypted form instead of plan-text) are used to
specify the SCEP administrator's credential, and ScepAdminUrl must be
set correctly to specify the corresponding SCEP admin web page's URL.
If neither EnrollPwd nor EnrollPwdEnc is set, client will try to use these
set of settings to automatically get an enrollment password and then use
that password to request a certicate. If communication security is
necessary in your environment during this phase, please add https:// as
the prex for ScepAdminUrl to use HTTPS instead of the default HTTP
protocol.
Use ScepAutoEnroll=no AutoRenew=yes to only enable SCEP auto
renew; all other parameters are not needed if ScepAutoEnroll is set to no.
NOTE
: SCEP server’s URL must be an HTTP link. Do not add
protocol prex to RequestURL and ScepAdminURL.
224 Creating and Using xen.ini Files