Generating a Key and Obtaining and Registering a Certificate from an SCEP Server
When generating a key on the machine, you can request a Simple Certificate Enrollment Protocol (SCEP) server that manages certificates to issue a certificate. The certificate issued by an SCEP server is registered automatically to the machine.
For information about the algorithms of the keys that can be generated with this machine and certificates that can be requested to be issued, see the specifications of the self-generated key and Certificate Signing Request (CSR). Keys and Certificates
This machine only supports Network Device Enrollment Service (NDES) in Windows Server 2008 R2, Server 2012 R2, and Server 2016 for the SCEP server. HTTPS communication is not supported.
For information about the algorithms of the keys that can be generated with this machine and certificates that can be requested to be issued, see the specifications of the self-generated key and Certificate Signing Request (CSR). Keys and Certificates
This machine only supports Network Device Enrollment Service (NDES) in Windows Server 2008 R2, Server 2012 R2, and Server 2016 for the SCEP server. HTTPS communication is not supported.
To obtain and register a certificate from an SCEP server, configure the settings for communicating with the SCEP server, and then generate a key and request certificate issuance. You can also configure the settings to request certificate issuance at a specified date and time.
Configuring the SCEP Server Communication Setting
Configure this setting using Remote UI from a computer. You cannot use the control panel to configure the setting.
Administrator privileges are required.
Administrator privileges are required.
Required Preparations
Prepare the URL and port number of the SCEP server.
1
Log in to Remote UI as an administrator. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Remote UI Portal Page
3
Click [Device Management] 
[Settings for Certificate Issuance Request (SCEP)] [Communication Settings].
[Settings for Certificate Issuance Request (SCEP)] [Communication Settings].The [Communication Settings] screen is displayed.
4
Specify the SCEP server information.
[SCEP Server URL]
Enter the URL of the SCEP server to connect to.
[Port Number]
Enter the port number used to communicate with the SCEP server.
[Communication Timeout]
Enter the time from start of communication to timeout in seconds.
5
Click [Update].
The settings are applied.
6
Log out from Remote UI.
Requesting Key Generation and Certificate Issuance
Request key generation and certificate issuance using Remote UI from a computer. You cannot use the control panel to do this.
Administrator privileges are required. The machine must be restarted after obtaining the certificate.
Administrator privileges are required. The machine must be restarted after obtaining the certificate.
* This method cannot be used to request issuance of a certificate when the setting for requesting issuance of a certificate at a specified date and time is enabled. Requesting Certificate Issuance at a Specified Date and Time
1
Log in to Remote UI as an administrator. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Remote UI Portal Page
3
Click [Device Management] [Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request].
[Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request].The [Certificate Issuance Request] screen is displayed.
4
Set the key and certificate information.
[Key Name]
Enter the key name using alphanumeric characters.
[Signature Algorithm]
Select the signature algorithm from the pulldown menu.
[Key Length (bit)]
Select the key length from the pulldown menu. The larger the value, the better the security, but this slows down communication processing.
[Organization]
Enter the organization name, as needed, using alphanumeric characters.
[Common Name]
Enter the name of the certificate subject using alphanumeric characters, as needed. This corresponds to the Common Name (CN).
[Issued To (Alternate Name)]
Enter the IP address or domain to be set for the Subject Alternative Name (SAN), as needed.
If you are not configuring the [Issued To (Alternate Name)] setting, select the [Do Not Set] checkbox.
Only IPv4 addresses can be set in [IP Address].
[Challenge Password]
If a password is set for the SCEP server, enter the password used to request issuance using alphanumeric characters.
[Key Use Location]
Select where to use the generated key. If the location is not decided, select [None]. If you select [IPSec], select the IPSec to be used at the location from the pulldown menu.
5
Click [Send Request] [OK].
[OK].The request to issue a certificate is sent to the SCEP server.
6
When [A certificate has been acquired. Click [Restart] to restart the device.] is displayed, click [Restart].
The machine restarts, and the key and certificate are registered.
NOTE
Checking the Issuance Request Status and Error Information
Click [Settings/Registration] [Device Management] [Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request Status] to view detailed information.
If a certificate is not issued, an error is displayed in the issuance request status. For details about the message and how to resolve it, see the following:
[Device Management] [Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request Status] to view detailed information.If a certificate is not issued, an error is displayed in the issuance request status. For details about the message and how to resolve it, see the following:
Viewing and Verifying Detailed Information of a Registered Certificate
Click [Settings/Registration] [Device Management] [Key and Certificate Settings], and then click the key name (or certificate icon) in the list of keys and certificates to display the certificate details.
[Device Management] [Key and Certificate Settings], and then click the key name (or certificate icon) in the list of keys and certificates to display the certificate details.On the certificate details screen, click [Verify Certificate] to verify that the certificate is valid.
When the Key and Certificate Cannot Be Deleted
You cannot delete a key and certificate being used. Disable the function being used, or delete these after switching to another key and certificate.
Requesting Certificate Issuance at a Specified Date and Time
You can request certificate issuance to occur at a specified date and time. You can also set the request for certificate issuance to occur regularly.
Configure this setting using Remote UI from a computer. You cannot use the control panel to configure the setting.
Administrator privileges are required.
Administrator privileges are required.
1
Log in to Remote UI as an administrator. Starting Remote UI
2
On the Portal page of Remote UI, click [Settings/Registration]. Remote UI Portal Page
3
Click [Device Management] [Settings for Certificate Issuance Request (SCEP)] [Settings for Certificate Issuance Auto Request].
[Settings for Certificate Issuance Request (SCEP)] [Settings for Certificate Issuance Auto Request].The [Settings for Certificate Issuance Auto Request] screen is displayed.
4
Select the [Enable Timer for Certificate Issuance Auto Request] checkbox, and enter the start date and time to request issuance of a certificate.
5
Configure the settings for auto issuance request, as needed.
[Auto Adjust Issuance Request Time]
To adjust the certificate issuance request time, select this checkbox.
The start time for requesting a certificate may be adjusted randomly by up to 10 minutes to reduce the load on the SCEP server.
The start time for requesting a certificate may be adjusted randomly by up to 10 minutes to reduce the load on the SCEP server.
[Perform Polling When Communication Error Occurs or When Issuance Request Is Deferred]
Check the status of the SCEP server, such as when certificate issuance has been deferred. Select the checkbox, and enter the number of polling retries and interval.
* Polling is not performed and an error occurs in the following cases:
When the machine has exceeded the limit of keys and certificates that can be registered
When an error occurs in the obtained response data
When an error occurs in the SCEP server
[Send Periodic Issuance Requests]
The request for certificate issuance occurs automatically and regularly. Select the checkbox, and select the issuance request interval from the pulldown menu.
Enabling this setting resets the start date and time to request issuance of a certificate.
Enabling this setting resets the start date and time to request issuance of a certificate.
[Automatically Restart Device After Acquiring Certificate]
Select this checkbox to restart the machine after obtaining a certificate.
[Delete Old Key and Certificate]
Select this checkbox to overwrite the key and certificate at the same location where the key will be used.
6
Set the key and certificate information in [Settings for Key and Certificate To Be Issued].
[Key Name]
Enter the key name using alphanumeric characters.
[Signature Algorithm]
Select the signature algorithm from the pulldown menu.
[Key Length (bit)]
Select the key length from the pulldown menu. The larger the value, the better the security, but this slows down communication processing.
[Organization]
Enter the organization name, as needed, using alphanumeric characters.
[Common Name]
Enter the name of the certificate subject using alphanumeric characters, as needed. This corresponds to the Common Name (CN).
[Issued To (Alternate Name)]
Enter the IP address or domain to be set for the Subject Alternative Name (SAN), as needed.
If you are not configuring the [Issued To (Alternate Name)] setting, select the [Do Not Set] checkbox.
Only IPv4 addresses can be set in [IP Address].
[Challenge Password]
If a password is set for the SCEP server, enter the password used to request issuance using alphanumeric characters.
[Key Use Location]
Select where to use the generated key. If the location is not decided, select [None]. If you select [IPSec], select the IPSec to be used at the location from the pulldown menu.
7
Click [Update].
The settings are applied.
8
Log out from Remote UI.
NOTE
Checking the Issuance Request Status and Error Information
Click [Settings/Registration] [Device Management] [Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request Status] to view detailed information.
If a certificate is not issued, an error is displayed in the issuance request status. For details about the message and how to resolve it, see the following:
[Device Management] [Settings for Certificate Issuance Request (SCEP)] [Certificate Issuance Request Status] to view detailed information.If a certificate is not issued, an error is displayed in the issuance request status. For details about the message and how to resolve it, see the following:
Viewing and Verifying Detailed Information of a Registered Certificate
Click [Settings/Registration] [Device Management] [Key and Certificate Settings], and then click the key name (or certificate icon) in the list of keys and certificates to display the certificate details.
[Device Management] [Key and Certificate Settings], and then click the key name (or certificate icon) in the list of keys and certificates to display the certificate details.On the certificate details screen, click [Verify Certificate] to verify that the certificate is valid.
When the Key and Certificate Cannot Be Deleted
You cannot delete a key and certificate being used. Disable the function being used, or delete these after switching to another key and certificate.