Generating a Key and Obtaining and Registering a Certificate from an SCEP Server

When generating a key on the machine, you can request a Simple Certificate Enrollment Protocol (SCEP) server that manages certificates to issue a certificate. The certificate issued by an SCEP server is registered automatically to the machine.
For information about the algorithm of the keys that can be generated with this machine and certificates that can be requested to be issued, see the specifications of the self-generated key and Certificate Signing Request (CSR). Keys and Certificates
This machine supports Network Device Enrollment Service (NDES) in Windows Server 2008 R2, 2012 R2, and 2016 for the SCEP server. Communication using HTTPS is not supported.
To obtain and register a certificate from an SCEP server, configure the settings for communicating with the SCEP server, and then generate a key and request certificate issuance. You can also request certificate issuance at a specified date and time.

Configuring the SCEP Server Communication Settings

Configure the communication settings using Remote UI from a computer. You cannot use the operation panel to configure the settings.
Administrator privileges are required.
Required Preparations
Prepare the URL and port number of the SCEP server.
* Communication using HTTPS is not supported.
1
Log in to Remote UI in System Manager Mode. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Portal Page of Remote UI
3
Click [Device Management] [Settings for Certificate Issuance Request (SCEP)].
The [Settings for Certificate Issuance Request (SCEP)] screen is displayed.
4
In [Communication Settings], click [Edit].
The [Edit Communication Settings] screen is displayed.
5
Set the SCEP server information.
[SCEP Server URL]
Enter the URL of the connecting SCEP server.
[Port Number]
Enter the port number used to communicate with the SCEP server.
[Communication Timeout]
Enter the time from search start to timeout in seconds.
6
Click [OK].
The settings are applied.
7
Log out from Remote UI.

Generating a Key and Requesting Certificate Issuance

Configure the settings for generating a key and requesting the issuance of a certificate using Remote UI from a computer. You cannot use the operation panel to configure the settings.
Administrator privileges are required. The machine must be restarted after obtaining a key.
* This method cannot be used to request issuance of a certificate when the setting for requesting issuance of a certificate at a specified date and time is enabled. Requesting Certificate Issuance at a Specified Date and Time
1
Log in to Remote UI in System Manager Mode. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Portal Page of Remote UI
3
Click [Device Management] [Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request].
The [Certificate Issuance Request] screen is displayed.
4
Set the items for a key and certificate.
[Key Name]
Enter the key name using single-byte alphanumeric characters.
[Signature Algorithm]
Select the signature algorithm from the pulldown menu.
[Key Length (bit)]
Select the key length from the pulldown menu. The larger the value, the better the security, but this slows down communication processing.
[Organization]
Enter the organization name using single-byte alphanumeric characters, as needed.
[Common Name]
Enter the name of the certificate subject using single-byte alphanumeric characters.
This is also called the Common Name (CN).
[Challenge Password]
When the SCEP server has a password, enter the password for the request data used for the issuance request using single-byte alphanumeric characters.
[Key Usage]
Select the usage of the generated key. If the usage is not decided, select [None].
5
Click [Issuance Request] [OK].
The request to issue a certificate is sent to the SCEP server.
6
When the message that says a certificate is acquired appears, click [Restart].
The machine restarts, and the key and certificate are registered.
Viewing Issuance Request Status and Error Information
You can view detailed information on the [Settings for Certificate Issuance Request (SCEP)] screen.
If a certificate is not issued, an error is displayed in the certificate issuance request status. For details about the message and how to resolve it, see the following:
If an Error Is Displayed in the Certificate Issuance Request Status
Viewing and Verifying Detailed Information of a Registered Certificate
In [Settings/Registration] [Device Management] [Key and Certificate Settings] [Registered Key and Certificate], click the key name (or certificate icon) to display the certificate details.
On the certificate details screen, click [Verify Certificate] to verify that the certificate is valid.
When the Key and Certificate Cannot Be Deleted
You cannot delete a key and certificate being used. Disable the function being used, or delete these after switching to another key and certificate.

Requesting Certificate Issuance at a Specified Date and Time

The request for certificate issuance occurs at the specified date and time. You can also set the request for certificate issuance to occur regularly.
Configure the settings using Remote UI from a computer. You cannot use the operation panel to configure the settings.
Administrator privileges are required.
1
Log in to Remote UI in System Manager Mode. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Portal Page of Remote UI
3
Click [Device Management] [Settings for Certificate Issuance Request (SCEP)].
The [Settings for Certificate Issuance Request (SCEP)] screen is displayed.
4
In [Settings for Certificate Issuance Auto Request], click [Edit].
The [Edit Settings for Certificate Issuance Auto Request] screen is displayed.
5
Select the [Enable Timer for Certificate Issuance Auto Request] checkbox, and enter the start date and time to request issuance of a certificate.
6
Set other items at the time of issuance auto request, as needed.
[Auto Adjust Issuance Request Time]
To adjust the certificate issuance request time, select this checkbox.
The start time for issuing a certificate may be adjusted randomly by up to 10 minutes to reduce the load on the SCEP server.
[Perform Polling When Communication Error Occurs or When Issuance Request Is Deferred]
Check the status of the SCEP server, such as when certificate issuance has been deferred. Select the checkbox and enter the number of polling retries and interval.
* Polling is not performed and an error occurs in the following cases:
When the machine has exceeded the limit of keys and certificates that can be registered
When an error occurs in the obtained response data
When an error occurs in the SCEP server
[Send Periodic Issuance Requests]
The request for certificate issuance occurs automatically and regularly. Select the checkbox and select the issuance request interval from the pulldown menu.
Enabling this setting resets the start date and time to request issuance of a certificate.
[Automatically Restart Device After Acquiring Certificate]
To restart the machine after obtaining a certificate, select the checkbox.
[Delete Old Key and Certificate]
To overwrite the key and certificate with the same location where the key will be used, select the checkbox.
7
In [Settings for Key and Certificate To Be Issued], set the items for a key and certificate.
[Key Name]
Enter the key name using single-byte alphanumeric characters.
[Signature Algorithm]
Select the signature algorithm from the pulldown menu.
[Key Length (bit)]
Select the key length from the pulldown menu. The larger the value, the better the security, but this slows down communication processing.
[Organization]
Enter the organization name using single-byte alphanumeric characters, as needed.
[Common Name]
Enter the name of the certificate subject using single-byte alphanumeric characters.
This is also called the Common Name (CN).
[Challenge Password]
When the SCEP server has a password, enter the password for the request data used for the issuance request using single-byte alphanumeric characters.
[Key Usage]
Select the the usage of the generated key. If the usage is not decided, select [None].
8
Click [OK].
The settings are applied.
9
Log out from Remote UI.
Viewing Issuance Request Status and Error Information
You can view detailed information on the [Settings for Certificate Issuance Request (SCEP)] screen.
If a certificate is not issued, an error is displayed in the certificate issuance request status. For details about the message and how to resolve it, see the following:
If an Error Is Displayed in the Certificate Issuance Request Status
Viewing and Verifying Detailed Information of a Registered Certificate
In [Settings/Registration] [Device Management] [Key and Certificate Settings] [Registered Key and Certificate], click the key name (or certificate icon) to display the certificate details.
On the certificate details screen, click [Verify Certificate] to verify that the certificate is valid.
When the Key and Certificate Cannot Be Deleted
You cannot delete a key and certificate being used. Disable the function being used, or delete these after switching to another key and certificate.
95UE-08C