Checking the Current Status of the Client Certificate Enrollment

Enter the command cert_show_status
The status for each certificate relating to SCEP is shown:

  • CA certificate
  • RA encryption certificate
  • RA signature certificate
  • Client certificate

Reviewing Log Messages

IGEL Linux v5:

In the log file /var/log/messages, search for cert_agent

IGEL Linux 10:

  1. Open the IGEL Setup and go to System > Registry > debug > tools.
  2. Enable log_partition_enabled.
  3. Enable syslog0.enabled.
    From now on, syslog messages will be written to /debuglog/messages

    For more information about advanced logging, see Extended Logging With Syslog, Tcpdump and Netlog (Extended Logging With Syslog, Tcpdump and Netlog, http://edocs.igel.com/index.htm#10482.htm).

  4. In the log file /var/log/messages, search for cert_agent

Reviewing the Certificates and Certificate Requests in the File System

Go to the directory by entering ls /wfs/scep-certificates/cert0/

Deleting a Certificate Request

As root, enter rm –rf /wfs/scep-certificates/cert0/

Checking the CA

As root, enter scep_getca 0

Generating an SCEP Request Manually

As root, enter scep_mkrequest 0

Enrolling a Certificate Manually

As root, enter scep_enroll 0

Testing Certificate Renewal

  1. Become root.
  2. Generate an SCEP request and append "new" to the key file name: scep_mkrequest 0 “new”
    An SCEP request is issued. In the directory /wfs/scep-certificates/cert0/, the key file clientnew.key is created.
  3. Renew the certificate: scep_renew 0
  4. Overwrite the old certificate with the new one: mv /wfs/scep-certificates/cert0/clientnew.cert /wfs/scep-certificates/cert0/client.cert
  5. Overwrite the old key with the new one: mv /wfs/scep-certificates/cert0/clientnew.key /wfs/scep-certificates/cert0/client.key