Breadcrumbs

UMS as a Certificate Authority (CA) Proxy

With the CA Proxy feature, you can use the IGEL Universal Management Suite (UMS) to enroll endpoint devices known to the UMS into an external PKI via EST or SCEP (IGEL OS Base System 12.9.0 or higher).

Process description for EST

As a precondition, a certificate profile has been defined in your PKI. The trust material for establishing an mTLS connection to the PKI has been configured in the UMS. When the endpoint device is configured to use the UMS as a Registration Authority / CA proxy, it sends a Certificate Signing Request (CSR) to the UMS. The UMS forwards this CSR to the PKI using the EST protocol. If proxies are configured for the UMS, the default proxy will be used for communication between the UMS and the external PKI; for details, see Proxy Server Configuration in the IGEL UMS. The PKI returns the signed certificate to the UMS. The UMS sends the issued certificate with the complete CA certificate chain of the issuer to the device.

Process description for SCEP

As a precondition, a certificate profile has been defined in your PKI. A challenge password for establishing a connection to the PKI has been configured on the devices. When the endpoint device is configured to use the UMS as a Registration Authority / CA proxy, it sends a Certificate Signing Request (CSR) to the UMS, including the challenge password. The UMS forwards this CSR to the PKI using SCEP. If proxies are configured for the UMS, the default proxy will be used for communication between the UMS and the external PKI; for details, see Proxy Server Configuration in the IGEL UMS. The PKI returns the signed certificate to the UMS. The UMS sends the issued certificate with the complete CA certificate chain of the issuer to the device.


UMS as a Certificate Authority (CA) Proxy has been tested with the following PKI’s:

  • EST and SCEP: EJBCA Enterprise (with the EST alias set to “RA mode”)

  • SCEP: Microsoft CA

Questions & Answers


Q: Is there any known risk of enabling the UMS to act as a CA proxy while the device is not configured to use this feature?
A: No, if the UMS is configured to act as a CA proxy and the devices are not configured to use the feature, nothing will happen. The UMS will not contact the CA unless a device is configured to send a CSR using the UMS as a CA proxy.


Q: Is there any traffic immediately sent to all devices when this is enabled?
A: As soon as the profile is assigned to devices, the UMS sends the settings to the relevant devices. Please note that these devices will immediately send a CSR using the UMS as a CA proxy.


Q: Is there a requirement to restart services for the UMS setting to take effect?
A: No, as soon as the UMS is configured to act as a CA proxy, the devices can request certificates.

Supported Encryption Algorithms for the Device Certificates

For the device certificates, the following encryption algorithms are supported:

  • RSA 2048

  • RSA 3072

  • RSA 4096

  • RSA 8192

  • ECDSA ed25519

  • EC brainpoolP256r1

  • EC brainpoolP384r1

  • EC brainpoolP512r1

  • EC prime256v1

  • EC secp256k1

  • EC secp384r1

  • EC secp521r1

Requirements

IGEL OS Endpoint Devices

  • For use with EST: Endpoint devices with IGEL OS 12.7.2 or higher

  • For use with EST and SCEP: Endpoint devices with IGEL OS 12.9.0 or higher

IGEL Universal Management Suite (UMS)

  • For use with EST: IGEL UMS 12.09.110 or higher

  • For use with EST and SCEP: IGEL UMS 12.12.100 or higher

  • IGEL UMS Enterprise License

PKI Server (EST)

  • Your EST configuration supports the default endpoint for EST as defined in RFC 7030

    • Without an optional CA label: /.well-known/est/<operation>

    • If an optional CA label is defined: /.well-known/est/<CA label>/<operation>

  • For the mTLS connection between the UMS and the PKI, the following encryption algorithms are supported:

    • RSA

    • ECDSA-p-256/384/512

    • ED-25519/448

Configuring the UMS to Act as a CA Proxy Using EST

The certificate profile on the PKI and the endpoint device must match.

  1. In the UMS Web App, go to the Devices area and click image-20250820-113920.png .

image-20250915-142457.png



  1. Select the CA Proxy tab and then select EST.

image-20260522-094449.png

If there is an already existing configuration for SCEP, a dialog informs you that the previos configuration will be deleted.

image-20260522-094938.png



  1. Enter the following data:

    • Configuration Name: Display name for your EST configuration

    • CA Hostname: The URL of your EST server

    • CA Port: The port required to connect to the EST server. Default: 443

    • CA Label: The optional EST CA label as outlined in RFC 7030 Section 3.2.2. Allowed characters: Letters, numbers, underscores (“_“), minus signs (“-”).

The EST CA label may be required to match the case of the CA label in your PKI. In the case of EJBCA, this setting is referred to as the alias, which is case-sensitive.

Example: If you have an alias called “VPN” in EJBCA Enterprise, then you must set the CA label to “VPN”; “vpn” or “Vpn” will not work.

image-20260529-073734.png



  1. To upload the keystore you have obtained from your PKI, click Upload Keystore and select the keystore file. Please note that the keystore must contain the following:

    • The web certificate for the EST server

    • The key pair for the client certificate

    • The private key that the UMS will use to communicate with the PKI (mTLS)

image-20250820-142510.png
image-20250820-142656.png



  1. Enter the Keystore Password. Note that the keystore and its keys must use the same password.

image-20260529-074210.png



  1. To test your connection, click Test Connection.

image-20260529-074310.png




  1. Review your configuration and click Save.

image-20260527-053609.png


Configuring the UMS to Act as a CA Proxy Using SCEP

The certificate profile on the PKI and the endpoint device must match.

  1. In the UMS Web App, go to the Devices area and click image-20250820-113920.png .

image-20250915-142457.png



  1. Select the CA Proxy tab and then select SCEP.

image-20260522-095301.png

If there is an already existing configuration for EST, a dialog informs you that the previous configuration will be deleted.

image-20260522-094938.png



  1. Select the CA Proxy tab and enter the following data:

    • Configuration Name: Display name for your SCEP configuration

    • URL: The URL of your SCEP server. Please note that if HTTPS is used, you must upload the appropriate certificate for this HTTPS connection. This is done via the Upload Certificate button that appears when the URL contains “https”.

    • Profile: (Optional) Profile name for the SCEP enrollment request

    • Fingerprint: Fingerprint of the root CA certificate. The following cryptographic hash algorithms are allowed:

      • MD5

      • SHA1

      • SHA256

image-20260527-054408.png



  1. To test your connection, click Test Connection.

image-20260527-054449.png



  1. Review your configuration and click Save.

image-20260527-054525.png



Configuring the Endpoint Device to Use the UMS as CA Proxy

Creating a UMS Profile

  1. In the UMS Web App, go to the Configuration section and click image-20250820-143531.png to create a new UMS profile.

image-20250820-143333.png



  1. Enter an appropriate name for the profile and click Select Apps.

image-20250820-144341.png



  1. Select IGEL OS Base System and click Next.

image-20250820-145156.png



  1. Go to Security > Certificates and click image-20250820-145406.png to add a new certificate.

image-20260522-124844.png



  1. Under Friendly Name, enter a name for the certificate.

This name must be unique among all configured certificates on the device. It will be used as a directory name for storing the certificate files on the device. If the name has already been taken, a warning will be displayed, and an entry will be written to the system log.

image-20250821-095914.png



  1. Enter the data for the endpoint device’s certificate profile according to the certificate profile you have configured in the PKI.

The certificate profile on the endpoint device and the certificate profile defined in the PKI must match. If the certificate enrollment fails, it is recommended to check the logs of the PKI.

Some certificate parameters can be derived automatically from the device; this is done with the following parameters:

Subject

  • Autocomplete Common Name
    The parameter replaces the occasionally configured Common Name.

    • Hostname: The device’s hostname is used as the common name

    • Unit ID: The device’s unit ID is used as the common name

Subject Alternative Name
These auto-completed names are always added to the configured Subject Alternative Name:

  • Autocomplete Hostname: If enabled, the device’s hostname is used in the subject alternative name

  • Autocomplete IP Address: If enabled, the device’s IP address is used in the subject alternative name

image-20250821-100009.png



  1. Only needed if SCEP is used: Enter the Challenge Password required for communication with the PKI and click Set password.

image-20260529-092128.png



  1. Edit the settings for certificate renewal according to your needs.

    • Automatic Renewal: When enabled, the certificate renewal will be triggered automatically, according to the settings below.

    • Units of renewal period: Choose whether the automatic certificate renewal will be triggered after a specified percentage of the validity period has passed or after a specified number of remaining days has been reached.

    • Percentage of remaining validity

    • Days of remaining validity

    • Renewal Period in Percent: Specifies the percentage of the validity period after which the renewal will be triggered. Only effective if Units or renewal period is set to Percentage of remaining validity.

    • Renewal Period in Days: Specifies the number of days remaining before the renewal is triggered. Only effective if Units or renewal period is set to Days of remaining validity.

image-20250821-060104.png



  1. Set Enrollment Protocol to IGEL UMS.

image-20250821-054256.png



  1. When you are done, click Confirm.

image-20250821-054523.png



  1. Review the setting Show notifications to the user. If enabled (default), the user will be notified about the certificate on the device.

image-20250821-115634.png



  1. Click Save and Close to finalize your profile.

image-20250821-060302.png



Assigning the Profile to the Devices

  1. Go to the Devices area and select the relevant device or the relevant directory of devices.

image-20250821-061154.png



  1. Set the filter to show only profiles and select the profile you previously created.

image-20250821-061400.png
image-20250821-061755.png
image-20250821-061848.png

The devices will try to obtain their certificates via the UMS immediately.

When Show notifications to the user is enabled (see Creating a UMS Profile, step 10), a notification is shown on the device indicating successful certificate enrollment.

image-20260529-081004.png



How Can I Verify if the Certificate Has Been Deployed on the Device?

Using the Friendly Name as the path to the enrolled certificate easily allows to configure it in use cases like 802.1x authentication or VPN.

→ Open a Local Terminal on the device and check for the following files:

  • /wfs/igel-certs/<FRIENDLY NAME>/cert.pem - The enrolled certificate in PEM format

  • /wfs/igel-certs/<FRIENDLY NAME>/cert.pfx - This is a PKCS12 container including the private key, certificate, and CA certificates. The container is protected by the configured key’s password.

  • /wfs/igel-certs/<FRIENDLY NAME>/pkey.pem - The private key in PEM format protected by the configured password

  • /wfs/igel-certs/<FRIENDLY NAME>/cacerts.pem - The CA certificate(s). Additionally, all the CA certificates are automatically installed to the system-wide OpenSSL repository of CAs in /etc/ssl/cert/ directory.

  • /wfs/igel-certs/<FRIENDLY NAME>/cacerts/<CN>.pem - The CA certificate from the bundle cacerts.pem. Additionally, all the CA certificates are automatically installed to the system-wide OpenSSL repository of CAs in /etc/ssl/cert/ directory.


→ To review the relevant log entries, enter journalctl | egrep 'rmagent|igel-certs'