Installing the SCEP Server

To begin the Keyfactor SCEP installation, execute the SCEPInstaller.msi file from the installation media and install as follows.

  1. On the first installation page, click Next to begin the setup wizard.

  2. On the next page, read and accept the license agreement and click Next.

  3. On the next page, select the destination folder for the install. The default installation location is:

    C:\Program Files\Keyfactor\Keyfactor SCEP Server
  4. On the next screen, click Install.
  5. On the final installation wizard page, click Finish. The configuration tool should start automatically. This can take several seconds.
  6. Optional: If you've opted to store SCEP challenges in a Microsoft SQL database, pause at this step and configure the SQL database (see Using a SQL Database for SCEP (Optional)) and then continue with the configuration steps.

  7. Optional: If you opted to create custom templates so that you could generate SCEP encryption and signing certificates with keys greater than 1024-bit as per Enable the Required Templates for SCEP Infrastructure, you will need to configure SCEP to use those certificates using the registry before continuing with the rest of the standard configuration steps. To update the SCEP server to use the manually acquired encryption and signing certificates:

    1. Use the Registry Editor (regedit) to open the following configuration area:

      HKEY_LOCAL_MACHINE\SOFTWARE\Certified Security Solutions\SCEP Server\Configuration

    2. In the Configuration key, create a String Value field and name it EncryptionSerial.

    3. Double-click to edit the EncryptionSerial configuration setting and paste in the serial number for the Keyfactor SCEP Server Encryption certificate that you made note of in Create the SCEP Certificates. Click OK to save.

    4. In the Configuration key, create a String Value field and name it SigningSerial.

    5. Double-click to edit the SigningSerial configuration setting and paste in the serial number for the Keyfactor SCEP Server Signing certificate that you made note of in Create the SCEP Certificates. Click OK to save.

  8. In the Keyfactor SCEP Configuration tool in the SCEP Enrollment section of the page, select the CA from which certificates will be issued via SCEP in the Enrollment CA dropdown. Select the certificate template in the Enrollment Template dropdown. Only templates available on the selected CA will be shown in the dropdown. In the Challenge Type dropdown, select Unique for best security. The option to use the same challenge password for every request (Single Challenge) or no challenge password at all (No Challenge) should only be used in environments where this functionality is absolutely necessary and where access to the SCEP server is strictly controlled. In the Concurrent Challenges box, enter a number that reflects the number of SCEP challenge requests you expect to receive, and challenges issue, in the Challenge Lifetime. In the Challenge Lifetime (minutes) box, enter a number of minutes for which SCEP challenges will be valid.

    Figure 6: SCEP Configuration Tool

  9. If you did not manually configure certificates as per step 7, in the Keyfactor SCEP Configuration tool in the SCEP Infrastructure Certificates section of the page, click the Request Certificates button to automatically request certificates for the SCEP server. If you manually configured certificates in step 6, you should see the serial numbers for your certificates in the SCEP Infrastructure Certificates section of the page. The SCEP server requests certificates using the CEP Encryption and Exchange Enrollment Agent (Offline request) templates and will scan through any available CA in the environment for a CA that is able to issue certificates based on these templates, beginning with the CA you selected for SCEP enrollment. If no CA is available to issue certificates based on these templates, an error will occur. You will need to make the templates available for issuing on a CA in the environment and try the Request Certificates step again.

    Tip:  If you have more than one CA with the SCEP infrastructure certificates templates available on it, wish to specify which of these CAs to request the certificates from, and have not selected this CA in the previous step, you can temporarily select the CA for the SCEP infrastructure CAs in the SCEP enrollment section of the page, request the infrastructure certificates, and then change the CA in the SCEP enrollment section of the page.
  10. In the Keyfactor SCEP Configuration tool in the SCEP Service Account section of the page, enter the user name (DOMAIN\User format) and password of the Active Directory service account under which the SCEP application pool will run. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid.
  11. At the bottom of the configuration tool, click Save and then close the dialog.