Keytos Documentation > EZCA Azure's PKI Documentation > How To Connect SCEP CA To MDM > Intune SCEP CA > Intune SCEP Profiles > How To Install SCEP Certificate in Linux

How To Install SCEP Certificate in Linux

In this page we will guide you on how to install a X509 certificate with EZCA SCEP in Linux with our script with a password-protected private key.

We have the instructions on doing it manually, step-by-step, and using our script.

Prerequisites

Make sure to have a SCEP CA created with static challenge enabled
Record the EZCA Static Challenge SCEP URL for your CA.
Make sure you have installed coreutils, curl, head, and openssl on your device.

How to manually install SCEP certificate in Linux

Open your terminal
Install the scepclient binary in https://download.keytos.io/Downloads/linux-scripts/scepclient-linux-amd64. This client was on top of the latest commit of this repo. You can install the binary with the following command:

export BINARY_NAME=scepclient
curl -o $BINARY_NAME https://download.keytos.io/Downloads/linux-scripts/scepclient-linux-amd64
chmod +x $BINARY_NAME

Generate an RSA key with openssl:

export PRIVATE_KEY_PATH=key.pem
openssl genrsa -traditional -out $PRIVATE_KEY_PATH 2048

Use the scepclient binary to install the SCEP certificate, the SCEP certificate will be in the file client.pem:

./$BINARY_NAME \
    -server-url $EZCA_STATIC_CHALLENGE_SCEP_URL \
    -private-key $PRIVATE_KEY_PATH \
    -challenge $SCEP_STATIC_CHALLENGE \
    -cn $USER_CERTIFICATE_COMMON_NAME \
    -organization $USER_CERTIFICATE_ORGANIZATION \
    -ou $USER_CERTIFICATE_ORGANIZATION_UNIT \
    -country $USER_CERTIFICATE_COUNTRY

(Optional) Encrypt the private key with a password:

export ENCRYPTED_KEY_PATH=key.encrypted.pem
export PRIVATE_KEY_PASSWORD=my-strong-password
openssl rsa -aes256 -in $PRIVATE_KEY_PATH -out $ENCRYPTED_KEY_PATH -passin pass:$PRIVATE_KEY_PASSWORD

How to automatically install SCEP certificate in Linux

Copy the script below to a file and fill out your values in the variables by uncommenting each line (removing the #) and entering the corresponding values. The certificate will be installed to $HOME/.local/share/keytos/scep_certs and the private key will be automatically encrypted and the private key password will be in $HOME/.local/share/keytos/scep_certs/key.pwd

Make sure to not leave any spaces between the variable name and the value

# To change this
# SCEP_CHALLENGE=    # SCEP static challenge password

# Correct
SCEP_CHALLENGE=0000000000000000

# Incorrect
SCEP_CHALLENGE= 0000000000000000

The script

#!/bin/bash

# User-set values
# EZCA_SCEP_STATIC_URL=    # set to static challenge URL
# SCEP_CHALLENGE=    # SCEP static challenge password
# CERT_CN=    # Cert common name
# CERT_O=    # Cert organization
# CERT_OU=    # Cert organization unit
# CERT_COUNTRY=    # Cert country

## ---------- ## ---------- ## ---------- ## ---------- ## ---------- ##

# Check all required executables exist
req_execs=("cat" "chmod" "curl" "head" "mkdir" "mv" "openssl" "rm" "tr")
for exe in "${req_execs[@]}"; do
        if [ ! $(command -v "$exe") ]; then
                echo "Required executable $exe not found"
                exit 1
        fi
done

if [ -z $EZCA_SCEP_STATIC_URL ]; then
        EZCA_INSTANCE=${EZCA_INSTANCE:-'DEFAULT_EZCA_INSTANCE'}
        EZCA_TENANTID=${EZCA_TENANTID:-'DEFAULT_EZCA_TENANTID'}
        EZCA_CAID=${EZCA_CAID:-'DEFAULT_EZCA_CAID'}
        EZCA_LOCATION=${EZCA_LOCATION:-'DEFAULT_EZCA_LOCATION'}

        EZCA_SCEP_STATIC_URL="https://${EZCA_INSTANCE}/api/SCEP/Static/${EZCA_TENANTID}/${EZCA_CAID}/${EZCA_LOCATION}"
fi

SCEP_CHALLENGE=${SCEP_CHALLENGE:-'DEFAULT_SCEP_CHALLENGE'}

CERT_CN=${CERT_CN:-'DEFAULT_CERT_CN'}
CERT_O=${CERT_O:-'DEFAULT_CERT_O'}
CERT_OU=${CERT_OU:-'DEFAULT_CERT_OU'}
CERT_COUNTRY=${CERT_COUNTRY:-'US'}

INSTALL_DIR=${INSTALL_DIR:-"$HOME/.local/share/keytos/scep_certs"}

SCEPCLIENT_PATH=$INSTALL_DIR/scepclient
KEY_PWD_PATH=$INSTALL_DIR/key.pwd
NEW_KEY_PATH=$INSTALL_DIR/key.pem
NEW_CER_PATH=$INSTALL_DIR/client.pem
ENCRYPTED_KEY_PATH=$INSTALL_DIR/key.encrypted.pem
CER_PATH=$INSTALL_DIR/certificate.pem

# Only generate new certs if certs do not exist or certs will expire in two weeks
if [ -f $CER_PATH ]; then
        TWO_WEEKS_IN_SECONDS=1209600
        if [[ $(openssl x509 -checkend $TWO_WEEKS_IN_SECONDS -noout -in $CER_PATH) ]]; then
                exit 0
        fi
fi

mkdir -p $INSTALL_DIR

# Install SCEP client (pull from CDN)
if [ ! -f $SCEPCLIENT_PATH ]; then
        curl 'https://download.keytos.io/Downloads/linux-scripts/scepclient-linux-amd64' --output $SCEPCLIENT_PATH
        chmod +x $SCEPCLIENT_PATH
fi

# Generate CERTS
openssl genrsa -traditional -out $NEW_KEY_PATH 2048
$SCEPCLIENT_PATH \
        -server-url ${EZCA_SCEP_STATIC_URL} \
        -private-key $NEW_KEY_PATH \
        -challenge ${SCEP_CHALLENGE} \
        -cn $CERT_CN \
        -organization $CERT_O \
        -ou $CERT_OU \
        -country $CERT_COUNTRY

if [ ! $? -eq 0 ]; then
        rm -rf $INSTALL_DIR/*.pem $KEY_PWD_PATH
        exit 1
fi

rm $INSTALL_DIR/csr.pem

# Encrypt key and rename files
tr -dc A-Za-z0-9 </dev/urandom | head -c 16 > $KEY_PWD_PATH
openssl rsa -aes256 -in $NEW_KEY_PATH -out $ENCRYPTED_KEY_PATH -passin pass:$(cat $KEY_PWD_PATH) -passout file:$KEY_PWD_PATH
mv $NEW_CER_PATH $CER_PATH
rm -f $NEW_KEY_PATH $NEW_CER_PATH