24.4 Signing and encryption certificates for SCEP

The SCEP application server requires a signing certificate and an encryption certificate.

24.4.1 Signing certificate

The signing certificate must have the following properties:

• Request Handling Purpose: Signature
• Key Usage: Digital Signature

By default, MyID uses a hash algorithm of SHA256 for SCEP signing. The certificate that you use for signing must therefore have been produced using a KSP or CSP that supports SHA256; some older CSPs (for example, the Microsoft Strong Cryptographic Provider) do not support SHA256; the Microsoft Enhanced RSA and AES Cryptographic Provider does support SHA256, however.

If you want to use a SCEP signing certificate that does not support SHA256, you must configure MyID to use SHA1 for the SCEP hash algorithm:

1. From the Configuration category, select Security Settings.

2. On the Server tab, set the following option:

   • SCEP Hash Algorithm – set to one of the following:
     • SHA1 – use SHA1 for the hash algorithm. Set this option if your SCEP signing certificate does not support SHA256.
     • SHA256 – use SHA256 for the hash algorithm. Set this option if your SCEP signing certificate does support SHA256.
3. Click Save changes.

24.4.2 Encryption certificate

The encryption certificate must have the following properties:

• Request Handling Purpose: Encryption
• Key Usage: Key Encipherment

24.4.3 Adding the certificates to the registry

To configure the signing and encryption certificates in the registry:

1. On the SCEP application server, log in using the MyID COM+ account.

2. Request the previously-created SCEP signing and encryption certificates that will be placed in the CAPI store.

   Note: Do not enable strong private key protection on the certificates, as this will prevent processing of the request by the MyID account.

3. Once the certificates have been generated, install and save them as .cer files in Base64/PEM format.

   You must save them in a location accessible to the MyID application; for example, the MyID installation folder. By default, this is:

   C:\Program Files\Intercede\MyID\

4. Enter the filenames of the certificates in the system registry:

   Note: You must log in as a user with sufficient privileges to edit the registry.

   1. Run the Windows regedit utility.

   2. Navigate to:

      HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice

   3. If not already present, create the key SCEP.

   4. Create or set the following string values to the full path of the related certificate:

      • SigningCertificate
      • EncryptionCertificate