24.4 Signing and encryption certificates for SCEP
The SCEP application server requires a signing certificate and an encryption certificate.
24.4.1 Signing certificate
The signing certificate must have the following properties:
- Request Handling Purpose: Signature
- Key Usage: Digital Signature
By default, MyID uses a hash algorithm of SHA256 for SCEP signing. The certificate that you use for signing must therefore have been produced using a KSP or CSP that supports SHA256; some older CSPs (for example, the Microsoft Strong Cryptographic Provider) do not support SHA256; the Microsoft Enhanced RSA and AES Cryptographic Provider does support SHA256, however.
If you want to use a SCEP signing certificate that does not support SHA256, you must configure MyID to use SHA1 for the SCEP hash algorithm:
- From the Configuration category, select Security Settings.
-
On the Server tab, set the following option:
- SCEP Hash Algorithm – set to one of the following:
- SHA1 – use SHA1 for the hash algorithm. Set this option if your SCEP signing certificate does not support SHA256.
- SHA256 – use SHA256 for the hash algorithm. Set this option if your SCEP signing certificate does support SHA256.
- SCEP Hash Algorithm – set to one of the following:
- Click Save changes.
24.4.2 Encryption certificate
The encryption certificate must have the following properties:
- Request Handling Purpose: Encryption
- Key Usage: Key Encipherment
24.4.3 Adding the certificates to the registry
To configure the signing and encryption certificates in the registry:
- On the SCEP application server, log in using the MyID COM+ account.
-
Request the previously-created SCEP signing and encryption certificates that will be placed in the CAPI store.
Note: Do not enable strong private key protection on the certificates, as this will prevent processing of the request by the MyID account.
-
Once the certificates have been generated, install and save them as .cer files in Base64/PEM format.
You must save them in a location accessible to the MyID application; for example, the MyID installation folder. By default, this is:
C:\Program Files\Intercede\MyID\
-
Enter the filenames of the certificates in the system registry:
Note: You must log in as a user with sufficient privileges to edit the registry.
- Run the Windows regedit utility.
-
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Intercede\Edefice
- If not already present, create the key SCEP.
-
Create or set the following string values to the full path of the related certificate:
- SigningCertificate
- EncryptionCertificate