How to configure Simple Certificate Enrollment Protocol (SCEP) on Palo Alto Network Firewall/Panorama

How to configure Simple Certificate Enrollment Protocol (SCEP) on Palo Alto Network Firewall/Panorama

2178
Created On 01/06/23 18:41 PM - Last Modified 09/17/25 01:30 AM


Objective


This document provides steps on how to configure Simple Certificate Enrollment Protocol (SCEP) on Palo Alto Network Firewall/Panorama. Palo Alto Network Firewall will be used for this purpose

Environment


  • Palo Alto Networks Firewall or Panorama
  • Supported PAN-OS
  • Certificate Management
  • Simple Certificate Enrollment Protocol (SCEP)

Procedure


Note: In order to successfully configure the Simple Certificate Enrollment Protocol (SCEP) on Palo Alto Network Firewall/Panorama, Active Directory Certificate Services Server and Network Device Enrollment Service needs to be installed on the Windows server as pre-requisite

Windows Server – Install and Configure NDES (Assuming that Active Directory Certificate Services is already installed)

  1. Launch Server Manager > Manage > Add Roles and Features > Below Active Directory Certificate Services select Network Device Enrollment Service and install it

 

2023-01-13 10_54_16-Untitled document - Google Docs.png

 

  1. Create a domain user (I’ve created a domain user as "NDES_User") > Add the user to the IIS_IUSRS group on the CA server.

 

2023-01-13 10_46_52-Untitled document - Google Docs.png

 

  1. From within Server Manager launch the post-deployment configuration wizard, change the account details, to the service account you created above (ndes_user)

 

2023-01-13 14_35_50-Untitled document - Google Docs.png

 

  1. Enter the details that will be used to enroll in the RA certificate. Optional information can be left blank. Accept the defaults and click Next and Configure

 

2023-01-13 14_46_56-Untitled document - Google Docs.png

 

  1. Launch the Certificate Authority management console > Certificate Templates > Right Click > Manage

 

2023-01-06 13_58_02-10.73.105.153 - Remote Desktop Connection.png

 

  1. Open the properties of the ‘IPSec (Offline request)’ certificate > Security Tab > Make sure the account you created (above) has the ‘Enroll’ permission

 

2023-01-06 13_59_03-10.73.105.153 - Remote Desktop Connection.png

 

  1. From Server Manager, click on Tools and select Internet Information Services (IIS) Manager
  2. Within the IIS Manager, expand the Default Web Site and then CertSrv, select mscep_admin, and browser HTTPS application from the Manage Application section

 

2023-01-12 16_30_48-Server2019-NEW-nbastola.png

 

  1. The Network Device Enrollment Services page will open with the thumbprint (hash value) for the CA certificate

 

2023-01-13 11_14_00-Server2019-NEW-nbastola.png

 

  1. Navigate to Palo Alto Networks Firewall Device > Certificate Management > SECP  under SECP Configuration, enter the required information, and commit changes​​​ 

 

2023-01-13 11_18_54-Panorama01.png

 

  1. Navigate to Certificate Management>Certificates and Click on Generate Certificate, select Certificate type as SCEP, provide the Certificate Name, and select the SCEP Profile from the drop-down list

 

2023-01-12 17_34_52-active.aavni.net.png

 

  1. Click on the Generate button, and we will see below pop-up windows with "Successfully created certificate from SCEP profile SCEP" and the certificate will be seen under the Certificates list

 

2023-01-13 15_08_40-Untitled document - Google Docs.png

 

 
 
 

Additional Information


  • During certificate generation process, if sslmgr is enabled on debug mode, below successful messages will be seen on Firewall sslmgr.log 
    >debug sslmgr on debug
>tail follow yes mp-log sslmgr.log
2023-01-13 11:00:04.506 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server
2023-01-13 11:00:04.506 -0600 debug: cfgagent_doop_callback(pan_cfgagent.c:531): received signal to execute for agent: sslmgr
2023-01-13 11:00:04.549 -0600 debug: pan_scep_get_client_cert(pan_scep.c:401): Trying to create temporary directory /opt/pancfg/certificates/tmpXXXXXX
2023-01-13 11:00:04.551 -0600 debug: pan_cryptod_sysd_decr(pan_cryptod_sysd_api.c:473): For encrypted key(len=2273):
2023-01-13 11:00:04.552 -0600 debug: pan_cryptod_dump_buf(pan_cryptod_sysd_api.c:749):   [xxx] ...
2023-01-13 11:00:04.552 -0600 debug: pan_cryptod_sysd_decr(pan_cryptod_sysd_api.c:520): Retrieved plain text(len=1679):
2023-01-13 11:00:04.552 -0600 debug: pan_cryptod_dump_buf(pan_cryptod_sysd_api.c:749):   [xxx] ...
2023-01-13 11:00:04.552 -0600 debug: pan_scep_get_challenge(pan_scep.c:163): Sending http get to scep server https://172.16.3.254/CertSrv/mscep_admin/mscep.dll
2023-01-13 11:00:04.552 -0600 debug: pan_http_curl_get(pan_http_client.c:551): custom_header [Accept-Language: en-US]
2023-01-13 11:00:04.552 -0600 debug: pan_http_curl_get(pan_http_client.c:556): add last header: [Accept-Language: en-US]
2023-01-13 11:00:04.552 -0600 debug: pan_http_curl_get(pan_http_client.c:600): setting headers...
2023-01-13 11:00:05.050 -0600 debug: pan_scep_get_challenge(pan_scep.c:211): Parsed Challenge 2AF53902C52F4948
2023-01-13 11:00:05.050 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 007051000210668
2023-01-13 11:00:05.050 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1781276205
2023-01-13 11:00:05.050 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is RSA
2023-01-13 11:00:05.050 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is sha256
2023-01-13 11:00:05.051 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 2AF53902C52F4948
2023-01-13 11:00:05.051 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is https://172.16.3.254/CertSrv/mscep_admin/mscep.dll
2023-01-13 11:00:05.051 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is E9026EAFA0212C7020E62085752EC8C7
2023-01-13 11:00:05.051 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 1, str is CN=$USERNAME
2023-01-13 11:00:05.051 -0600 debug: pan_scep_is_safe_string(pan_scep.c:58): Token $USERNAME exists in subject and the position is 3
2023-01-13 11:00:05.051 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is DC1-MSCEP-RA
2023-01-13 11:00:05.051 -0600 debug: pan_scep_get_client_cert(pan_scep.c:471): Generating CSR from script.../usr/local/bin/pangenscepcert.sh -s "007051000210668" -h "1781276205" -c "RSA:2048" -i "2AF53902C52F4948" -e "https://172.16.3.254/CertSrv/mscep_admin/mscep.dll" -m "sha256" -y "365" -u "3" -l "" -o "" -q "" -j "/opt/pancfg/certificates/tmp1kgdS7" -b "CN=$USERNAME" -r "172.16.3.1" -d "" -f "E9026EAFA0212C7020E62085752EC8C7" -a "yes" -g "/opt/pancfg/certificates/scep/scep_SCEP_ca.crt" -n "/opt/pancfg/certificates/scep/scep_SCEP_client.crt" -k "/opt/pancfg/certificates/scep/scep_SCEP_client.key" -t "DC1-MSCEP-RA"Generating a 2048 bit RSA private key
.............+++
................................................................................+++
writing new private key to '/opt/pancfg/certificates/tmp1kgdS7/dev.key'
-----
2023-01-13 11:00:06.868 -0600 debug: pan_scep_is_safe_string(pan_scep.c:44): pan_scep_is_safe_string : is_subject is 0, str is 1673629204
2023-01-13 11:00:06.868 -0600 debug: pan_scep_get_client_cert(pan_scep.c:528): Running command openssl rsa -aes256 -in  "/opt/pancfg/certificates/tmp1kgdS7/dev.key" -passin pass:"1673629204" -passout pass:"1673629204" -out "/opt/pancfg/certificates/tmp1kgdS7/enc_dev.key" 
writing RSA key
2023-01-13 11:00:06.882 -0600 debug: pan_scep_get_client_cert(pan_scep.c:553): Running command openssl pkcs12 -export -out "/opt/pancfg/certificates/tmp1kgdS7/devcrt.p12" -passout pass:"1673629204" -inkey "/opt/pancfg/certificates/tmp1kgdS7/dev.key" -passin pass:"1673629204" -in "/opt/pancfg/certificates/tmp1kgdS7/dev.crt" -keypbe AES-256-CBC -certpbe AES-256-CBC 
2023-01-13 11:00:06.908 -0600 debug: pan_scep_get_client_cert(pan_scep.c:562): Running command openssl base64 -e -in "/opt/pancfg/certificates/tmp1kgdS7/devcrt.p12" -out "/opt/pancfg/certificates/tmp1kgdS7/devcrt.p12.b64" 
2023-01-13 11:00:07.019 -0600 debug: sslmgr_scep_gen_client_certificate(sslmgr_ops.c:1572): Content returned <entry name="SCEPTEST">
<type>pem</type>
<cert-content>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,D1AB99814E7C7E61DEC57F7772B8F35D

2bXVIQcWDKsqxa3r7VlXtLPSmuZ2k/9veWtcisyh0fxBgE8YpV2+QMVlpQ2BlXiK
Ka+wPrnhN5Dn6s8QgsVAB+vZ8yB2t0mISWM4oHa3gHAuX67+qwAqw92398BYuD+L
qtRjjfjVe0DHB0JgmkV+pN00YQq3KpDqKdkFkX0QgymDuDaNH9/j844Lkdqfst9o
6ittsbfx/Vxhg4/skoaCgYt7UKrDlod92U4HrQZAr8VCrL3LrTLqiRS2R5wS93iH
ggBHdhxp0jgOKeNILops5Xg4Q1EiTn4F/hA61Torvk/UgiTAxthktglnLt4SMNZS
WuJgxr2Vubz7yxx0zKL27xCYW+ukb5BhyyonsVqycCjHQrYnaXe5QTruaW9Dt+cH
7+tAA3OFDoXRlnfxW8RHiLmC067DojCikd+Clx1IZpLKmgtEb61D1ODCt1gYCg2i
3Ng+AyZdQN5YEO54TJsmt90GyWs/Rgw3UJRGopovrF2S6yIqZ4hlgCbqPxvLILXf
BSrz1sKKnnVxW2pPtUvMGYGNS8hoq/wZodiTc9vke6WNyySU1AlT0UBxtlHraXaG
7HGO9tA2wh7Yb1hMA62qxU2cazEByI6d7u4IVp4AVRF/CwjF1KeTy3dGvUyd8lsh
A+NNnHgIJgC5Elx0kvl/vell5/C1lHTK9sze+EYc3DWp6QvNSgRD3nUgrxFuqZ6a
mIHlgAyFz8vrAsA4Lc9OXA/WMrHnMJke2UAGrlQ/UI/7mFFRS0yBapgfjwM8ru5w
eisq35Ygm+oFDwxrd9COn9qp2aKeAiwmAfsg7bkHhmwp22ykXE15OPtbJnO2023-01-13 11:00:08.300 -0600 debug: cfgagent_opcmd_callback(pan_cfgagent.c:496): sslmgr: cfg agent received op command from server
 
  • If decryption is enabled on the SSL/TLS traffic with Wireshark, below successful HTTP transaction will be seen.
2023-01-13 11_01_10-Server2019-NEW-nbastola.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kG71CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail