Certificates for SCEP

The SCEP agent stores the following certificates in /setup/cacerts/scep by default.

client.pem	Client certificate
client.key	Private key of client certificate	2048 or40961 from eLux RP 6 2204 RSA key may be stored TPM 2.0 chip
serverca.pem	Server CA certificate
serverca.key	Server CA key	required renewal of certificates
serverca.sig	Server CA signature	required renewal of certificates
serverra.pem	RADIUS server certificate

Devices with TPM 2.0

The authentication procedures via WPA supplicant for wired Ethernet connections and via IEEE 802.1X for WLAN components consider both storage options for the SCEP private key – the file system and the TPM 2.0 chip.

Client certificates continue to be stored in the file system. The roll-out procedure, with which the devices initially receive the client certificates, is carried out exclusively via wired Ethernet connections. Existing certificates can be renewed both via wired Ethernet connections and via WLAN.

Also the private key file of the SCEP client certificate is stored in the file system, by default. It is located under /setup/cacerts/scep or in the directory you have defined in the scep.ini file. When you perform an eLux firmware update to a version with TPM 2.0 support, existing private key files of the SCEP client certificate remain stored in the file system.

Private key in TPM 2.0 chip

• To use the TPM 2.0 module for the private key, make the following Advanced file entry:

  File	scep.ini
  Section	Certificate
  Entry	UseTPM2
  Value	true	Default is false.

This parameter ensures that the private key is generated for each TPM 2.0 device in its TPM module.2 from eLux RP 6 2101 It is stored there only and cannot be displayed or exported. The key never leaves the TPM chip of the device.

When the certificate is renewed, the private key is reused.

The SCEP agent creates a certificate signing request (CSR) via openssl with the public key of the TPM module. Each time a connection is set up to an 802.1X-secured port, the system checks for a valid certificate. The certificate must be signed with the private key of the TPM chip. If the certificate does not exist or is invalid, the connecting process is rejected.

The client.key file remains in the file system but only contains information on the public key. The retained file name allows devices without a TPM to use the same certificate.

To delete the key from the TPM 2.0 chip, delete the TPM in the BIOS. We recommend that you first revoke certificates that are still valid.