Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


SCEP Client

SCEP Client is a command line application that is capable to gather and renew certificates via a remote SCEP server. The certificates will be stores in a local Java keystore.


Download and unpack the binary distribution file

Contents of the binary distribution
+-- etc/
|   +-- application.conf      (1)
|   +-- keystore              (2)
+-- libs/                     (3)
|       ...
+-- log/
|   +-- scep-client.log       (4)
+-- README.adoc               (5)
+-- scep-client.jar           (6)
  1. The configuration file`application.conf` in the central place to configure the application.

  2. The keystore file is automatically created and consecutively updated by the application.

  3. The lib directory contains required libries (JAR files).

  4. The log file contains verbose runtime information.

  5. This Documentation.

  6. The application JAR file, containing the main application.

Start the application with:

$ java -jar scep-client.jar


The application operation is controlled via command line options:

$ java -jar scep-client.jar --help
Standalone SCEP client, which can create and update Java key stores
from a remote SCEP server.

Usage: java -jar scep-client.jar [options]

  --help,-h           Show this help
  --password,-p seed  Generate a password from a given seed and salt.
                      The salt is either implicitly set or explicitly
                      given with --salt
  --refresh-certs,-r  Refresh or initial create a Java key store
                      containing certificates from SCEP server
  --salt,-s salt      Use this salt when generating a password with

To initialy get the configured certificate(s) use the following command:

$ java -jar scep-client.jar --refresh-certs

The same command is used to check and, if required, refresh the certificate(s).

After the certifcates were initially fetched and checked successful, the application will return with exit code 0.

In case of an error or if one of the certificates were no longer valid, the application will return with an exit code other than 0.

If an error ocurs while connection to the SCEP server or processing the certificates, but all certificate are still valid, the application will return with exit code 0.

You can inspect the application log file log/scep-client.log for processing and error details.


The binary distribution already contains a commented configuration file, which you can adapt to your need. At least, you have to change the SCEP server URL as well as the desired certificates.

Annotated example configuration etc/application.conf
// The blended SSL implementation uses a dynamically provisioned
// SSL Context. This SSLContext uses a certificate provider under
// the covers to obtain a server certificate when required.
// The server certificate is managed in the server's keystore for
// reuses and refreshed whenever it is about to expire. {

    ssl {

      // This is the keystore file where the generated server
      // certificate is kept until it expires
      keyStore = ${scepclient.home}/etc/keystore

      // !!! NOTE : Once these passwords are changed, the keystore
      // !!! should be deleted to force a refresh of the server
      // !!! certificate

      // the storepass is used to generate the keystore password
      // this is not the effectively used password
      storePass = "blended"

      // the keypass is used to generate the private key password
      // this is not the effectively used password
      keyPass = "mysecret"

      // the configuration of the self signed certificate provider.
      // This is required as an initial SCEP request is performed
      // with a self signed certificate. The common name and
      // alternative names will be passed in from the certificate
      // configuration.
      selfsigned {

      // the configuration of the individual certificates. each
      // certificate configuration stands for a server certificate
      // that will be used within the server side ssl context.
      // Certificates are selected via SNI (requires Java 8 or greater).
      // The name of the config block will be used as the alias
      // with in the keystore.
      certificates {
        server1 {
          // The common name and alternative names for the certificate.
          commonName = "CN=server1, O=blended, C=DE"
          logicalHostnames = ["server1"]

          // The certificate provider used for provisioning certificates.
          // The provider 'default' will use self signed certificates;
          // the provider 'scep' we use a SCEP enabled server
          // to automatically provision server certifacates via SCEP.
          provider = "scep"

          // The amout of days before an certificate expiry the server
          // will try to refresh the certificate.
          // default: 10
          # minValidDays = 10

    scep {
      scepUrl = "http://scep.server.url"

      // The profile, if required by the SCEP server (if unsure,
      // contact the SCEP administrator)
      // default : None
      # scepProfile =

      // The length of the key to sign requests sent to the SCEP server
      // default: 2048
      # keyLength = 2048

      // The signature algorithm to sign requests sent to the SCEP server
      // default: "SHA1withRSA"
      # csrSignAlgorithm = "SHA1withRSA"

      // The challenge password required by the SCEP server
      // default: None
      scepChallenge = "password"

Export a server key and certificate to openssl

To use some server keys in other applications, e.g. openssl, you can convert the keystore at <scepclient-home>/etc/keystore (which is in the proprietary JKS format) into the standardized format PKCS#12.

The keytool is part of each Oracle Java distribution, and can be found under `${JAVA_HOME}/bin/keytool.

Extract server key <jkskeyalias> into a PKCS#12 keystore
$ keytool -importkeystore \
-srckeystore <scepclient-home>/etc/keystore \
-destkeystore keystore.p12 -deststoretype PKCS12 \
-srcalias <jkskeyalias> \
-deststorepass <password> -destkeypass <password>

After than you can further process the keystore.p12 with openssl.

Export certificate from a PKCS#12 keystore
$ openssl pkcs12 -in keystore.p12  -nokeys -out cert.pem
Export the private key from a PKCS#12 keystore
$ openssl pkcs12 -in keystore.p12  -nodes -nocerts -out key.pem
You can’t perform that action at this time.