Showing results for 
Search instead for 
Did you mean: 

SCEP on Big-IP


I have built a process where a user connects to the Big-IP using the Edge Client in order to request a user certificate. I gather some information from the Edge Client, LDAP and Active Directory and then I make a sideband connection from an iRule in order to execute a local bash script. Among other things, the bash script creates and signs a certificate (snippet below) and then emails the certificate to the user.


Create private key openssl genrsa \ -rand /var/tmp/$rndfile \ -out /var/tmp/$csr_adname.key.pem 2048 Create CSR openssl req \ -sha512 \ -new \ -subj "/C=CA/O=$csr_o/OU=$csr_ou/DC=$csr_domain/CN=$csr_udid/emailAddress=$csr_email/pseudonym=$csr_adname_encrypt/SN=$csr_sn/GN=$csr_gn" \ -key /var/tmp/$csr_adname.key.pem \ -out /var/tmp/$csr_adname.csr.pem Sign openssl x509 \ -extfile /root/ca/intermediate/openssl.cnf \ -extensions usr_cert \ -sha512 \ -req \ -in /var/tmp/$csr_adname.csr.pem \ -out /root/ca/intermediate/newcerts/${csr_adname}.${csr_udid}.cert.pem \ -CAkey /root/ca/intermediate/private/intermediate.key.pem \ -CA /root/ca/intermediate/certs/intermediate.cert.pem \ -days $days \ -passin file:/shared/xxxx/intermediate.pwd \ -CAcreateserial \ -CAserial /root/ca/intermediate/serial

The Big-IP is an intermediate CA therefore the certificates that I create are not self-signed. Everything is working just fine however I would like to remove the roll of the Big-IP being an intermediate CA and instead talk to our Enterprise CA. I am looking for some guidance as to how to do this…


From what I have read so far, in order to pass the CSR over to our CA I need to use SCEP to talk to our Network Device Enrolment Server which runs on Windoze. Does this make sense? Can this be done with an openssl command or do I need a SCEP utility on the Big-IP? If SCEP is there something builtin or do I need to find an open source SCEP utiltity such as ?


Just hoping someone can point me in the right direction - any guidance would be appreciated.




APM 12.1.2