Configure Simple Certificate Enrollment Protocol
Focus
Focus
Prisma SD-WAN

Configure Simple Certificate Enrollment Protocol

Table of Contents

Configure Simple Certificate Enrollment Protocol

Prisma SD-WAN provides a Simple Certificate Enrollment Protocol (SCEP) to use the external root or sub-CA for certificate signing, renewal, and revocation purposes.
Where Can I Use This?What Do I Need?
  • Prisma SD-WAN
  • Prisma SD-WAN license
Prisma SD-WAN provides an ability to integrate with enterprise digital certificate management systems using Simple Certificate Enrollment Protocol (SCEP).
The ION device Certificate Operation using SCEP Integration:
  1. The ION device establishes a TLS connection with the controller using MIC (Manufacturing Installed Certificate). The controller establishes a SCEP session with the Customer PKI Server using SCEP. When a claim request is made from the portal, the device generates a CSR and securely sends it to the controller over the TLS session.
  2. Prisma SD-WAN Controller forwards this CSR to the customer PKI server across the SCEP session.
  3. The SCEP server signs the CSR, issues the certificate, and then sends it back to the controller. The controller sends the customer-issued Certificate (CIC) to the ION device. The device installs the CIC. At this point, the ION device terminates the existing connection and re-establishes a new TLS connection using CIC. After the new connection is established, the network administrator can proceed with policy and other relevant configurations for the device to become part of the network.
Prisma SD-WAN provides a Simple Certificate Enrollment Protocol (SCEP) to use the external root or sub-CA for certificate signing, renewal, and revocation purposes.
  • Sign—After getting a challenge password (OTP) from the SCEP server, the SCEP plug-in forwards the CSR to enroll to the SCEP server. The signed certificate returns to the device as an X509 certificate stored locally.
  • Renew—The certificates signed are valid for a specific time (one year). You must renew the certificate before the expiry time (before 60 days). The expiry time is configurable, and the renewal of the certificate is triggered in advance before the certificate expires.
    The CSR for renewal must originate from the device. The renewal request is treated like an enrollment request and sent to the SCEP server for signing. A signed certificate is sent back to the device and replaced with a newly signed certificate in the trust store.
  • Revoke—From the SCEP server, the certificate is revoked on the external CA and synchronized to the cloud controller device (unclaimed or retired). The SCEP does not support the online revocation of the device, and it must perform offline.
For certificate information, go to Claim Certificate to see the Status, Issue Date, Expiration Date, Renewal Status, and Issuer information of the claimed device. To trigger the renewal process of the certificate, select the Trigger CIC Renewal link.
  1. From the Prisma SD-WAN web interface, navigate to Users System Administration Certificate Authorityto display the Certificate Authority widget.
  2. Select Local for the local certificate and Submit your changes.
    The Certificate Signing (timeout) period range (10 to 300) and Certificate Renewal (expiration window (30 to 90) and wait time (5 to 1440)) fields are populated with the default values. Make sure that the displayed values are tied to your Certificate.
  3. Select SCEP for the SCEP certificate.
    1. For SCEP configurations, import the certificate file from the trusted server.
    2. Enter the Server IP, Server Username, and Server Password to log in.
    3. Provide Max Concurrent Challenge Passwords (1 to 20), Challenge Passwords URI to get the SCEP server’s challenge password.
    4. Add the SCEP server’s challenge password in Enrollment Site URI to import the SCEP certificate file from the trusted database.
    5. Check the Use of an HTTPS connection? for HTTPS connections.
    6. Submit your changes.