Renew Certificates Using Custom Templates

To renew the certificates using your custom templates:

  1. On the Keyfactor SCEP server, use the Registry Editor (regedit) to open the following configuration area:

    HKEY_LOCAL_MACHINE\SOFTWARE\Certified Security Solutions\SCEP Server\Configuration
  2. Double-click to edit the EncryptionSerial configuration setting and copy the serial number for the Keyfactor SCEP Server Encryption certificate to a saved location in case you need to revert back to the old value, making note that this is the serial number for the old Keyfactor SCEP Server Encryption certificate. Click Cancel to close the dialog.
  3. Double-click to edit the SigningSerial configuration setting and copy the serial number for the Keyfactor SCEP Server Signing certificate to a saved location in case you need to revert back to the old value, making note that this is the serial number for the old Keyfactor SCEP Server Signing certificate. Click Cancel to close the dialog.
  4. On the Keyfactor SCEP server, open an empty instance of the Microsoft Management Console (MMC).
  5. Choose File->Add/Remove Snap-in….
  6. In the Available snap-ins column, highlight Certificates and click Add.
  7. In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.
  8. In the Certificates MMC, drill down to the Certificates folder under Personal, right-click the Keyfactor SCEP Server Encryption certificate (your certificate may have a different name), and choose Open. On the Details tab, locate the Serial number and confirm that it matches the serial number you copied in step two. On the Details tab, locate the Certificate Template Information and make a note of the template used to acquire the certificate.
  9. In the Certificates folder under Personal, right-click the Keyfactor SCEP Server Signing certificate (your certificate may have a different name), and choose Open. On the Details tab, locate the Serial number and confirm that it matches the serial number you copied in step three. On the Details tab, locate the Certificate Template Information and make a note of the template used to acquire the certificate.
  10. Under the Personal folder, right-click Certificates and choose All Tasks->Request New Certificate….
  11. In the Certificate Enrollment Wizard, click Next.
  12. On the Select Certificate Enrollment Policy page, accept the default and click Next.
  13. On the Request Certificates page, scroll down to locate the template you identified in step eight (or another template you have created for the SCEP encryption certificate as per Enable the Required Templates for SCEP Infrastructure), and check the box for the template. If the template does not appear in the list, you may need to verify that the SCEP server machine account has been granted enroll permissions on the template.
  14. On the Request Certificates page, click the link below the Keyfactor SCEP Encryption template name that says “More information is required to enroll for this certificate…”. On the Subject tab of the Certificate Properties dialog, select Common name in the Type dropdown under Subject name, enter a name for the certificate in the Value field, and click the Add button. No specific text is required in the subject name. This name is for your reference and to clarify the purpose of the certificate—e.g. Keyfactor SCEP Server Encryption. Click OK at the bottom of the Certificate Properties dialog.
  15. On the Request Certificates page, click Enroll to enroll for the certificate and click Finish when the enrollment is complete.
  16. Repeat steps 10 through 15 using the Keyfactor SCEP Signing template identified in step nine (or another template you have created for the SCEP signing certificate as per section Enable the Required Templates for SCEP Infrastructure) to acquire a second certificate.

  17. In the Certificates MMC in the Certificates folder under Personal, right-click the Keyfactor SCEP Server Encryption certificate, and choose Open. On the Details tab, locate the Serial number and copy the serial number from the box at the bottom of the dialog to a text file, making note that this is the encryption certificate serial number. Remove the spaces from the serial number so that the serial number string looks something like this:

    69000016e1ffccf7521125122a0000000016e1
    Important:  As displayed in the certificates dialog, the serial number has a narrow leading space that is actually an unprintable control character. If you accidentally copy this character and paste it into the registry setting when you are following the instructions in steps 21 and 22, the serial numbers will fail to appear in the Keyfactor SCEP Configuration tool. Be sure to strip off any leading spaces on the copied text.
  18. Repeat step 17 for the Keyfactor SCEP Server Signing certificate.

  19. Return to the Registry Editor (regedit) and the following configuration area:

    HKEY_LOCAL_MACHINE\SOFTWARE\Certified Security Solutions\SCEP Server\Configuration
  20. Double-click to edit the EncryptionSerial configuration setting and paste in the serial number for the Keyfactor SCEP Server Encryption certificate that you made note of in step 17, replacing the existing value. Click OK to save.
  21. Double-click to edit the SigningSerial configuration setting and paste in the serial number for the Keyfactor SCEP Server Signing certificate that you made note of in step 18, replacing the existing value. Click OK to save.
  22. Open the Keyfactor SCEP Configuration tool, which can be found on the Windows menus under Certified Security Solutions.
  23. In the Keyfactor SCEP Configuration tool in the SCEP Infrastructure Certificates section of the page, confirm that the serial numbers listed are the new serial numbers you made note of in steps 17 and 18.

  24. In the Keyfactor SCEP Configuration tool in the SCEP Service Account section of the page, check the Change Account box and re-enter the password for the SCEP service account. Click the verify button () to confirm that the password entered is valid.

    Note:  If the password for the SCEP service account is not immediately available, you can skip this step and instead manually grant the SCEP service account permissions to manage the private keys of the certificates as follows:

    1. In the Certificates MMC in the Certificates folder under Personal, right-click the Keyfactor SCEP Server Encryption certificate and choose All Tasks->Manage Private Keys….

    2. In the Permissions for private keys dialog, click Add, add the SCEP service account (configured in the Keyfactor SCEP Configuration tool), and grant that service account Read but not Full control permissions. Click OK to save.

    3. Repeat these steps for the Keyfactor SCEP Server Signing certificate.

  25. At the bottom of the configuration tool, click Save and then close the dialog.