Configuring AppViewX SCEP Server

Prerequisites

Onprem

Make sure that the SCEP pod is running in the cluster by using the command:
```
kubectl get pods -A | grep scep
```
Make sure that <avx-platform-gateway-scep> and <avx-vendor-cert-scep-agent> services are running in the cluster by running:
```
kubectl get svc -A | grep scep
```

SaaS

Ensure the https gateway is enabled on the cloud connector while installing it. To do this:

Navigate to the installation directory of the cloud connector software.
Run
```
cd deps/tools
```
Run
```
./k3s kubectl get svc -A | grep http
```
Note: It should have the avx-mid-server-gateway-http or avx-mid-server-gateway-https under namespace cc.

Enabling SCEP Services

For Onprem

Log onto the AppViewX installer node. Open the terminal window.
Go to </installation_folder/appviewx_kubernetes/scripts>folder.
Add the avx-vendor-cert-scep-agent and avx_platform_gateway_external inENABLED_PLUGINS in the appviewx.conf file.
Specify the datacenter (DC) where the gateway must be deployed:
- avx_vendor_cert_scep_agent=<dc name>
- avx_platform_gateway_external=<dc name>
Run the <plugins_install.sh>
Verify if SCEP is enabled by running kubectl get pods -A | grep scep
Verify the plugin status and port number by running:
```
kubectl get services -A | grep scep
```
Make sure that the avx-vendor-cert-scep-agent and avx-vendor-cert-scep-agent are running.
Make sure that the port number is 5303:30022 in avx-platform-gateway-est.
Note: The number 30022 must be used in the UI configuration.
Identify the nodes running the SCEP services by using:
```
<kubectl get pods -n external-system -o wide>
```
SCEP is available on all the nodes where the external system runs.

For SaaS

HTTPS gateway must be enabled while installing the cloud connector (CC). To do this:

Navigate to the installation directory of the cloud connector software.
Run:
```
cd deps/tools
```
Run:
```
./k3s kubectl get svc -A
```
Note: Ensure that avx-mid-server-gateway-http is present under namespace cc.

Configuring SCEP Endpoint

Click (Menu) > CERT+ > Administration > Auto Enrollment > SCEP.
The Auto Enrollment : SCEP page appears.
Click the + Add button.

Enter the following fields:

Table 1. Field description on Auto Enrollment : SCEP page
Field	Description
Endpoint Details
*Name	A unique name (alphanumeric string) to identify the agent setting. Name should not start with special characters. Acceptable characters: A-Z, a-z, 0-9, '.', '_', '-'
*SCEP URL	Select either HTTP or HTTPS. Based on the selection of this field, the SCEP endpoints will be configured with HTTP or HTTPS URL. The port information will be dynamically updated based on this selection. Using Direct Gateway: In the SaaS setup, to consume the direct AEP gateway without installing the cloud connector, use HTTPS.
*IP/FQDN	The dropdown list field contains a list of FQDN's from the stored data. Users can choose from the available values. The hostname format is <tenant>-aep.<domainname>. For Onprem: the list is populated with the On-Prem node details. Without load balancer HTTP: Must contain the hostname of the node where the external gateway is running. To get the details, run `kubectl get pods -n external-system -o wide`. If the external gateway is running on multiple nodes, select any one of those nodes. HTTPS: Must be same as the web URL. With load balancer HTTP: Must be the hostname of the load balancer. For SaaS: the list is populated with the hostname of the Cloud Connector and AEP Gateway details. Using On-premises CC Without load balancer: Must be the hostname of the cloud connector where the auto-enrollment gateway is running. With load balancer: Must be the hostname of the load balancer. Using Direct Gateway: In the SaaS setup, to consume the direct AEP gateway without installing the cloud connector, the FQDN/IP address will be the tenant URL with "-aep" before the domain name.
*Port	The port number is auto-populated based on the selected IP/FQDN value. If the IP/FQDN value is entered manually, then enter the appropriate port number. HTTP URL Onprem - 30022 SAAS - 30022 HTTPS URL Onprem - 31443 SAAS - 30020
Choose MDM Vendor	Specifies the Mobile Device Management (MDM) vendor associated with this SCEP configuration. Ch Generic SCEP - For configurations requiring non-MDM SCEP devices/clients, select this value. Addigy (MDM device validated by AppViewX) JAMF (MDM device validated by AppViewX) oose from:
Challenge Type	Defines the method used to validate the certificate enrollment request. Common options include Static and Dynamic. Static is supported when Choose MDM Vendor is either Generic SCEP, Addigy, or JAMF. The Challenge Password field is enabled and used for enrollment of certificate with static password password validation. Dynamic is only supported when Choose MDM Vendor is JAMF. The CN (Common Name) field is enabled and used for enrollment of certificate using dynamic challenge password validation. Note: If you configure the Challenge Type as Dynamic: Ensure that the SCEP client uses the URL <AppViewX SCEP URL>/getDynamicChallenge; it is used to fetch the dynamic challenge password Session validation is mandatory. The client must be configured with the required credentials.
Challenge Password	The CN (Common Name) field is enabled when Choose MDM Vendor is Generic SCEP, Addigy, or JAMF and Challenge Type is Static. Enter the challenge token to be used while enrolling certificates. In the SaaS setup, to consume the direct AEP gateway without installing the cloud connector, it is recommended to provide a challenge password.
CN Variable	The CN Variable (Common Name) dropdown field is enabled when Choose MDM Vendor is JAMF and Challenge Type is Dynamic. Select the appropriate value. Note: When configuring SCEP profiles in JAMF, if any variable is selected as the Common Name (CN), ensure that the same value is selected in the CN Variable field within AppViewX. This alignment is required to support dynamic challenge validation. For example: If the common name in the JAMF SCEP profile is set to $COMPUTERNAME, then in AppViewX you must select COMPUTERNAME (Applicable only for Computers) in the CN variable field.
CA Accounts
*Certificate Group	Select a specific group under which certificate needs to be enrolled.
*Certificate Category	Select a specific certificate type (Server / Client) to be enrolled.
*Select CA	Select the required CA from the available options. The certificate will be enrolled under the selected CA. The CAs associated with the Default certificate group are: AppViewX AppViewX PKIaaS AppViewX PKIaaS Native Amazon Private CA DigiCert DigiCert One EJBCA Entrust Entrust MPKI GlobalSign Atlas GlobalSign MSSL Google HydrantID IDnomic Microsoft Enterprise Microsoft Standalone Nexus OpenTrust Sectigo (Commodo Certificate Manager) SwissSign Note: The Vendor Specific Details and Custom Attributes section are displayed for some of the CAs as follows: DigiCert EJBCA Entrust Entrust MPKI GlobalSign MSSL MS Enterprise Nexus
*: mandatory fields.

Note: Use the port number that is appearing when you enable SCEP services.

Health check URL for load balancer:

Onprem

HTTP method: GET
Healthcheck API: https://<FQDN>:30022
1. FQDN: FQDN of the external gateway running nodes.
2. Expected response code: 404. As the load balancer is accessing the URL without any parameters, it will receive a 404 response.

SaaS

HTTP method: GET
Healthcheck API: https://<FQDN>:30022 (HTTP) / https://<FQDN>:30020 (HTTP)
FQDN: FQDN of cloud connector enabled with the HTTP/HTTPS gateway.
Expected response code: 404. As the load balancer is accessing the URL without any parameters, it will receive a 404 response.

When AppViewX is selected as CA. The fields for AppViewX CA are as follows:

Table 2. Details for AppViewX CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Certificate Profile	Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with the SCEP client machine.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

When AppViewX PKIaaS Native is selected as CA. The fields for AppViewX PKIaaS Native are as follows:

Table 3. Details for AppViewX PKIaaS Native - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
Template Name	Select a template name from the dropdown list.
*Issuer Name	Select an issuer name to issue the certificate.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled. Note: For some CAs, the validity available in their respective CA portal is considered despite the specified certificate validity.
*: mandatory fields.

When Amazon Private CA is selected as CA. The fields for Amazon Private CA are as follows:

Table 4. Details for Amazon Private CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Region	Select a valid region associated with the CA account. The dropdown is populated with the first available value. Select an appropriate value as required.
*Issuer	Select a valid issuer associated with the CA account. The dropdown is populated with the first available value. Select an appropriate value as required.
*Signature Algorithm	Select a valid issuer associated with the CA account. The dropdown is populated with the first available value from the group's associated policy. Select an appropriate value as required.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

When AppViewX PKIaaS is selected as CA. The fields for AppViewX PKIaaS CA are as follows:

Table 5. Details for AppViewX PKIaaS CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Certificate Profile	Type 3 or more letters of the certificate keywords after which a list of server certificates issued from the above selected CA account will be displayed, one certificate can be selected for further communications with the SCEP client machine.
*Issuer Location	Select the issuer location associated with the CA.
*Issuer Name	Select the issuer name used to issue the certificate.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

When DigiCert is selected as CA. The fields for DigiCert CA are as follows:

Table 6. Details for DigiCert CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Division	Select a division associated with the CA account. The dropdown is populated with the first available value. Select an appropriate value as required.
*Certificate Type	Select a valid certificate type associated with the CA account. The dropdown is populated with the first available value. Select an appropriate value as required.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Order Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

If the Select CA =DigiCert, then a separate section Vendor Specific Details is displayed after the CA Accounts section with two fields described below.

Table 7. Vendor Specific Details for DigiCert CA - Field Description Table
Fields	Description
*Server Type	Select a server type. The dropdown is populated with the first available value. Select an appropriate value as required.
*Payment Method	Select a payment method. The possible options are: Bill To Account Balance - Pay with the account balance. Returns an error if this option is disabled for the account or if the account has an insufficient fund. Bill To Default Credit Card - Pay with the account's default credit card. Returns an error if no default credit card is configured for the account
*: mandatory fields.

When DigiCert One is selected as CA. The fields for DigiCert One CA are as follows:

Table 8. Details for DigiCert One CA - Field Description Table
Fields	Description
*CA Account Name	A unique name to identify the CA setting. Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names should not start with special characters.
*Purpose/Usage	Certificate Type for which CLM actions will be enabled. For example, Server or Client.
Proxy Required	Enable this field if the CA communication needs to happen via proxy. The proxy details configured in general settings will be used for communication.
Data Center (AppViewX's CA agent)	Select the data center for CA communication, with the CC node being the recommended option. The selected node will handle the communication through the chosen CC node.
CA Configuration
*Base URL	This URL will contain the hostname of the DigiCert CA instance and used for constructing the API requests.
*Authentication method	By default, API Token is selected.
*API Token	Enter the API token to authorize the communication between AppViewX and DigiCert One.
Allow Seat ID during enrollment	Enabling this field displays a Seat ID field in the Auto enrollment settings that you can use instead of the CA settings.
*Seat ID	Unique value assigned to identify an entity in the DigiCert One account. You can provide multiple ID separated by a comma. They can be used for enrollment, renewal, and regeneration.
Use DigiCert One to switch certificates from DigiCert MPKI	Enable this field to automatically switch your DigiCert MPKI certificates to DigiCert One with auto-enrollment/auto-regenerate.
*: mandatory fields.

When EJBCA is selected as CA. The fields for EJBCA CA are as follows:

Table 9. Details for EJBCA CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*: mandatory fields.

If the selected CA is EJBCA, a separate section Vendor specific details is displayed after the CA Accounts section. The fields for Vendor specific details are as follows:

Table 10. Vendor Specific Details for EJBCA CA - Field Description Table
Fields	Description
*End Entity Profile Name	Select a profile of an end entity.
End entity user name	Enter the user name for the end entity.
*Issuer Common Name	Select a common name of an issuer.
*Certificate Profile Name	Select a profile name of certificate.
*: mandatory fields.

When Entrust is selected as CA. The fields for Entrust CA are as follows:

Table 11. Details for Entrust CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Certificate Type	Select a valid certificate type associated with the CA account. If the Certificate Category radio button is selected to Server, the dropdown list is populated with the first available value. Select an appropriate value as required. If the Certificate Category radio button is selected to Client, the dropdown list is populated with ‘None’ as the default value.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*Certificate Validity	Validity of the certificate to be enrolled (in days/months/years).
*: mandatory fields.

If the selected CA is Entrust, a separate section displaying Vendor specific details and Custom Attributes is displayed after the CA Accounts section.

Note: Based on the Entrust ECS account configuration Custom Attributes section may also be displayed.

Table 12. Vendor Specific Details for Entrust CA - Field Description Table
Fields	Description
Additional Emails	Enter the valid email address in the field.
Requester Name	Enter the requester name.
Requester Email	Enter a valid email ID.
Requester Phone	Enter the 10-digit phone number.
*: mandatory fields.

When Entrust MPKI is selected as CA. The fields for Entrust MPKI CA are as follows:

Table 13. Details for Entrust MPKI CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*: mandatory fields.

If the selected CA is Entrust MPKI, a separate section Vendor Specific Details is displayed after the CA Accounts section. The fields for Vendor specific details are as follows:

Table 14. Vendor Specific Details for Entrust MPKI CA - Field Description Table
Fields	Description
*CA Name	Select a CA name from the dropdown list.
*Certificate Profile	Select a certificate profile from the dropdown list.
*: mandatory fields.

When GlobalSign Atlas is selected as CA. The fields for GlobalSign Atlas CA are as follows:

Table 15. Details for GlobalSign Atlas CA - Field Description Table
Fields	Description
*Select CA	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
API Credential Friendly name	Select a CA Account to communicate with during the certificate enrollment actions.
Certificate Profile	Select the certificate Profile from the dropdown list.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*Certificate Validity	Validity of the certificate to be enrolled (in days/months/years).
*: mandatory fields.

A Generic Fields section is also displayed below the CA Accounts section. It contains the fields related to the CSR parameters based on the profile (API Credential Friendly name) selected. Only the Organization field is mandatory and is fetched from the selected profile. Rest of the fields are optional.

When GlobalSignMSSL is selected as CA. The fields for GlobalSign MSSL CA are as follows:

Table 16. Details for GlobalSign MSSL CA - Field Description Table
Fields	Description
CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
Product Type	Select the specific Certificate Type. The values are fetched from the CA Settings configuration.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
CA Connector Name	Name of the CA connector after the certificate is enrolled.
Certificate Validity	Validity of the certificate to be enrolled (in days/months/years).
*: mandatory fields.

The following field is displayed in the Vendor Specific Details section as per the selected CA:

Table 17. Vendor Specific Details for GlobalSign MSSL CA - Field Description Table
Fields	Description
*Profile	Select the Profile based on the configurations made in the Certificate Authority setting.
*: mandatory fields.

The following field is displayed in the Point of Contact section as per the selected CA. The CA mandates the point of contact information for traceability. All auto-enrollment requests via this endpoint will be registered with the point of contact information entered here.

Table 18. Point of Contact Details for GlobalSign MSSL CA - Field Description Table
Fields	Description
*First Name	Enter the first name.
*Email Address	Enter the valid email address.
*Phone Number	Enter the valid phone number.
*: mandatory fields.

When Google is selected as CA. The fields for Google CA are as follows:

Table 19. Details for Google CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Certificate Profile	Select the certificate profile type.
*Issuer Location	Select an issuer location that is associated with the CA account.
*Pool Name	Select a pool name to issue the certificate.
Template Name	Select an appropriate template name to issue the certificate.
*Issuer Name	Select an issuer name to issue the certificate.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

When HydrantID is selected as CA. The fields for HydrantID CA are as follows:

Table 20. Details for HydrantID CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*HydrantID Policy	Select the policy associated with the CA Account to be used for certificate operations.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

When IDnomic is selected as CA. The fields for IDnomic CA are as follows:

Table 21. Details for IDnomic CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Certificate Profile	Select the certificate Profile from the dropdown list.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*Certificate Validity	Validity of the certificate to be enrolled (in days/months/years).
*: mandatory fields.

When Microsoft Enterprise is selected as CA. The fields for Microsoft Enterprise CA are as follows:

Table 22. Details for Microsoft Enterprise CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*: mandatory fields.

If the selected CA is Microsoft Enterprise, a separate section Vendor specific details is displayed with a Template Name dropdown after the CA Accounts section.

When Microsoft Standalone is selected as CA. The fields for Microsoft Standalone CA are as follows:

Table 23. Details for Microsoft Standalone CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*: mandatory fields.

When Nexus is selected as CA. The fields for Nexus CA are as follows:

Table 24. Details for Nexus CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*Certificate Validity	Validity of the certificate to be enrolled (in days/months/years).
*: mandatory fields.

The following field is displayed in the Vendor Specific Details section as per the selected CA:

Table 25. Vendor Specific Details - Field Description Table
Fields	Description
*Procedure	Select the procedure based on the configurations made in the Certificate Authority Setting.

When OpenTrust is selected as CA. The fields for OpenTrust CA are as follows:

Table 26. Details for OpenTrust CA - Field Description Table
Fields	Description
*CA Account name	Select a specific CA Account from the selected CA which is to be used for certificate creation operations.
*Certificate Management Profile	Select the certificate issuance policy defined in OpenTrust CA.
Zone	The AppViewX configuration wrapper that maps to a CA + profile, and is used by end-users or automation to request certificates consistently.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is enrolled.
*: mandatory fields.

When Sectigo (Comodo Certificate Manager) is selected as CA. The fields for Sectigo (Comodo Certificate Manager) CA are as follows:

Table 27. Details for Sectigo (Comodo Certificate Manager) CA - Field Description Table
Fields	Description
*CA Account	A unique name to identify the CA setting. Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names should not start with special characters.
*Certificate Type	Select a value from the dropdown list.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled (in days/months/years).
*: mandatory fields

Table 28. Details for SwissSign CA - Field Description Table
Fields	Description
*CA Account	Select a specific CA Account from the selected CA to be used for certificate creation operations.
*Client Name	Select the specific client.
*Product	Select the specific product.
*Registration Authority Certificate	Add the chosen CA’s issued server certificate with the private key. This certificate acts as the RA certificate for SCEP enrollments. Search the required certificate from the AppViewX server inventory by typing the exact common name or serial number. Note: You can search for certificates using the serial number with or without colon “:”
*CA Connector Name	Name of the CA connector after the certificate is being enrolled.
*Certificate Validity	Validity of the certificate to be enrolled.
*: mandatory fields.

Configure the Advanced Settings details as follows:

Table 29. Advanced Settings - Field Description Table
Fields	Description
*Include Truststore Certificates	Select whether the issuer certificate needs to be sent to client machines after enrollment.
*Fetch Certificate Parameters	Select Yes or No. Setting the radio button to Yes enables the system to automatically fetch certificate parameters from a Suggestive Policy and append them to the client CSRs.
High Speed Transactions	Based on the selection of this field, the endpoint will be configured with or without High Performance transaction times. ACME protocol’s Revocation actions are not supported in High Performance mode. Request information pertaining to High-Performance can be viewed on the Direct Requests page. Note: By default, this field is set to Yes for AppViewX PKIaaS CA.
*Return Existing Certificate	If this option is enabled (Yes) then for request with AppViewX should check and return the existing valid certificate for the same CSR & public key from inventory if available otherwise it should proceed with enrollment and return the certificate. If it is set to Yes, the Certificate Threshold field is displayed. If it is set to No, then the AppViewX will do the default behavior of enrolling a new certificate for each request.
*Retry Count	Based on this value, the SCEP agent will trigger the number of calls to collect the certificate from AppViewX until it is received. Values accepted between 5 - 99.
*Retry Frequency	The value specified in this field determines the duration taken between the trigger calls by the SCEP agent. Values accepted between 10 - 99.
*Certificate Poll Type	Select Issuer and Subject or Transaction ID. The client agent will use this field to poll the issued certificate from the agent to the subsystem certificate plugin.
Duplicate Certificate Migration	Selecting this check-box will cause the previously issued certificates for the same CSR parameters to be revoked and deleted from AppViewX. Note: By default, this field is enabled for AppViewX PKIaaS CA.
*: mandatory fields.

Click Save.

Validating SCEP

Configure the SCEP endpoint in AppViewX GUI using the preceding steps.
The agent configuration should be in valid status.
If the above steps are completed, then refresh the following URL from the web browser
1. <scep endpoint URL from appviewx GUI>?operation=GetCACaps
2. Expected response: In the browser window, you should see the following data:
If you get the above response, then you can confirm that AppViewX is working fine.

Enrolling and Renewing Certificates via SCEP

The following conditions must be met, if the SCEP client sends a CSR to AppViewX SCEP Server for a certificate renewal:

If the signing certificate is self-signed, then validate if the subject name in the self-signed certificate matches with the common name in the CSR subject.
1. If it matches, then AppViewX will proceed with enrollment.
2. If it does not match, then validate whether the challenge passphrase is configured for the endpoint and is validated by the application.
  Note: If the device enrollment uses a self-signed certificate, it is advised to configure challenge passphrase as part of the endpoint. This must be configured on the SCEP client side for any enrollment.
If the request is signed with an RA certificate (as configured in AppViewX SCEP endpoint) then AppViewX will proceed with the enrollment.
If the signer certificate is any other certificate in the inventory, then check if this certificate belongs to the same entity by doing the common name match. Check if the common name of the signer certificate and the common name in the CSR subject, if it matches, then it is considered as renewal and the certificate is issued.
If the signer certificate is any other certificate in the inventory and its common name doesn't match with the common name in the CSR subject, then the certificate request is rejected.