Requesting Endpoint Certificates Using SCEP (Enterprise)

Simple Certificate Enrollment Protocol (SCEP) lets you simplify the retrieval and installation of digital certificates by enabling devices to obtain certificates automatically from a SCEP server. Management Console supports SCEP requests for different certificate usage types on client and host endpoints. Administrators of Management Console Enterprise administrators can reference SCEP issued certificate information from the dashboard and may now see certificate statuses of NOT APPLICABLE or NOT REQUESTED.

This topic covers creating, viewing, editing and deleting a certificate rule, and how to initiate a certificate request using SCEP.

The following conditions apply when performing a certificate request using SCEP:

  • Each certificate usage type can be used once in a rule per group

  • A group can only be applied to one certificate rule

  • Remote Workstation Cards must be using firmware 21.07 or newer

  • Zero Clients running firmware prior to 21.07:

    • Request 802.1x usage certificates only. Rules including Administrative Web Interface usage certificates will not initiate the AWI request but will initiate an included 802.1X certificate request.

    • The Request Certificate button will not activate if the rule is only for AWI usage type and will display NOT APPLICABLE in the ENDPOINT page certificate status column.

  • Endpoints running firmware 21.07 or newer:

    • Users can request all certificate usage types

    • Initially the status will show NOT REQUESTED on the ENDPOINTS page

    • Users will only see single certificate information on the ENDPOINT DETAILS and ENDPOINTS page after completion of the request even if multiple certificates are requested.

Certificate status for SCEP certificate request times

The certificate status will update after the SCEP requests complete which usually takes between 5 to 20 minutes.

Certificate requests using SCEP are available for the following usage types:

  • 802.1X: Allows you to use SCEP to request a custom certificate to authenticate PCoIP endpoints in your 802.1x configuration.

  • Administrators Web Interface (AWI): Allows you to use SCEP to request a custom certificate to access the Administrative Web Interface (AWI).

New certificate rule

Tip: Organize endpoints into groups

Before you create an endpoint certificate, organize your endpoints into groups. See Organizing Endpoints into Groups.

To create an endpoint certificate rule

  1. Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.

  2. Click NEW CERTIFICATE RULE.

  3. In the Groups field, click ADD to add a group that was set up on the ENDPOINTS page. If required, you can remove a group by highlighting it and clicking REMOVE.

  4. From the request tab, select the Usage Name.

  5. In the Server URI, field, type the Uniform Resource Identifier (URI) of the SCEP server that is configured to issue certificates for the group.

  6. In the Server Password field, type the password for the SCEP server.

  7. In the CA Identifier field, type the certification authority issuer identifier if your SCEP server requires it (the CA Identifier is supported for devices running firmware 5.4 or later). A CA Identifier is any string that is understood by the SCEP server (for example, a domain name).

  8. Click SAVE.

You can add an additional SCEP request by selecting the plus tab. When all usage types are configured, the plus tab no longer appears.

To view an endpoint certificate rule

  1. Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.

  2. Highlight the certificate rule you would like to edit and click the View button.

From the view rule window, you can use the Next or Prev (previous) buttons to browse your rules. In deployments with many rules, you can jump to a rule using one of the drop down menus that display the first group of the groups used in each rule.

Rule drop down menu

To edit an endpoint certificate rule

  1. Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.

  2. Highlight the certificate rule you would like to edit.

  3. Click EDIT to revise an endpoint certificate rule.

  4. Click Save after you are finished making your edits.

To delete an endpoint certificate rule

  1. Click ENDPOINT CERTIFICATES to display the CERTIFICATE MANAGEMENT window.

  2. Highlight a certificate rule that you want to delete.

  3. Click DELETE.

  4. Confirm your deletion by clicking DELETE in the DELETE CERTIFICATE RULE dialog box.

Deleting SCEP certificate rules

You can also delete a SCEP certificate rule using the DELETE button while editing or creating a rule.

Initiating a Certificate Request

Prior to requesting a certificate, a certificate rule for your endpoint must exist. If your endpoint is not part of a group the rule is applied to, the request certificate button will be deactivated. You can use Management Console to request certificates for endpoints in 4 ways.

  • Using the ENDPOINTS page

    1. From the dashboard click ENDPOINTS.

    2. Highlight your endpoint or group of endpoints, and click ENDPOINTS > REQUEST CERTIFICATES.

  • Using the Endpoints details page

    1. From the dashboard click ENDPOINTS.

    2. Highlight your endpoint and click ENDPOINTS > DETAILS.

    3. Click ENDPOINTS > REQUEST CERTIFICATES.

  • Create a schedule

    1. From the dashboard click SCHEDULE.

    2. Select NEW SCHEDULE.

    3. Select the Request Certificate type and all other schedule requirements for your schedule.

    4. Click Save. The request will initiate at the set scheduled time.

    See Managing Schedules for further details creating schedules.

  • Create an auto configuration rule

    1. From the dashboard click AUTO CONFIGURATION.

    2. Click NEW RULE.

    3. Ensure the Request Certificate checkbox is selected and configure all other values required for your auto configuration.

    4. Click Save.

    See Auto Configuring Endpoints for further details creating auto configuration rules.