Renew Certificates Using Custom Templates

To renew the Keyfactor SCEP infrastructure certificates using your custom templates:

On the Keyfactor SCEP server, use the Registry Editor (regedit) to open the following configuration area:

HKEY_LOCAL_MACHINE\SOFTWARE\Certified Security Solutions\SCEP Server\Configuration
Double-click to edit the EncryptionSerial configuration setting and copy the value to a saved location as a backup. Click Cancel to close the dialog.
Double-click to edit the SigningSerial configuration setting and copy the value to a saved location as a backup. Click Cancel to close the dialog.
On the Keyfactor SCEP machine, do one of following:
- Using the GUI:
  1. Open an empty instance of the Microsoft Management Console (MMC).
  2. Choose File->Add/Remove Snap-in….
  3. In the Available snap-ins column, highlight Certificates and click Add.
  4. In the Certificates snap-in popup, choose the radio button for Computer account, click Next, accept the default of Local computer, and click Finish.
  5. Click OK to close the Add or Remove Snap-ins dialog.
- Using the command line:
  1. Open a command prompt using the Run as administrator option.
  2. Within the command prompt type the following to open the certificates MMC:
    certlm.msc
Drill down to the Certificates folder under Personal, right-click the Keyfactor SCEP Server Encryption certificate (your certificate may have a different name), and choose Open. On the Details tab, locate the Serial number and confirm that it matches the serial number you copied above. On the Details tab, locate the Certificate Template Information and make a note of the template used to acquire the certificate.
In the Certificates folder under Personal, right-click the Keyfactor SCEP Server Signing certificate (your certificate may have a different name), and choose Open. On the Details tab, locate the Serial number and confirm that it matches the serial number you copied above. On the Details tab, locate the Certificate Template Information and make a note of the template used to acquire the certificate.
Acquire new certificates as described for Create the Keyfactor SCEP Certificates.
Return to the Registry Editor (regedit) and the following configuration area:

HKEY_LOCAL_MACHINE\SOFTWARE\Certified Security Solutions\SCEP Server\Configuration
Double-click to edit the EncryptionSerial configuration setting and paste in the serial number for the new Keyfactor SCEP Server Encryption certificate. Click OK to save.
Double-click to edit the SigningSerial configuration setting and paste in the serial number for the new Keyfactor SCEP Server Signing certificate. Click OK to save.
Open the Keyfactor SCEP Configuration tool, which can be found on the Windows menus under Keyfactor.
In the Keyfactor SCEP Configuration tool in the SCEP Infrastructure Certificates section of the page, confirm that the serial numbers listed are the expected new serial numbers.
In the Keyfactor SCEP Configuration tool in the SCEP Service Account section of the page, check the Change Account box and re-enter the password for the Keyfactor SCEP service account. Click the verify button () to confirm that the password entered is valid.
Note: If the password for the Keyfactor SCEP service account is not immediately available, you can skip this step and instead manually grant the Keyfactor SCEP service account permissions to manage the private keys of the certificates as follows:
1. In the Certificates MMC in the Certificates folder under Personal, right-click the Keyfactor SCEP Server Encryption certificate and choose All Tasks->Manage Private Keys….
2. In the Permissions for private keys dialog, click Add, add the SCEP service account (configured in the Keyfactor SCEP Configuration tool), and grant that service account Read but not Full control permissions. Click OK to save.
3. Repeat these steps for the Keyfactor SCEP Server Signing certificate.
At the bottom of the configuration tool, click Save and then close the dialog.

Was this page helpful? Provide Feedback

On this page: