Test a connection from the client to the KMES Series 3 by using the configured certificates
The process for configuring and testing certificates on the client side varies between the different types of applications connecting to the KMES Series 3 with SCEP. However, you can use the following OpenSSL commands to confirm that the SCEP client certificate enables a successful connection to the SCEP port on the KMES Series 3.
If you used the KMES Series 3 as the CA that signed the SCEP client certificate, then you must extract the client certificate, private key, and root CA certificate from the PKCS #12 file before connecting. If you used an external CA to sign the client certificate, run the following OpenSSL command to test connection and authentication to the KMES Series 3:
Adjust the IP address of the KMES Series 3 and the file names in the preceding command to your specific situation.
If you used the KMES Series 3 as a CA to sign the SCEP client certificate, run the following OpenSSL command to first extract the contents of the PKCS #12 file:
Open the pkcs12.pem file that was output from the previous command. Then, copy the signed client certificate, private key, and root CA certificate to individual files for use in the next command.
Run the following OpenSSL command to test the connection to the KMES Series 3:
If the SSL handshake is successful, then you configured the certificates correctly on the KMES Series 3.
If you use the TLS certificate to authenticate, the KMES Series 3 attempts to authenticate the SCEP client immediately after establishing the connection. If the Common Name of the TLS certificate matches the name of a KMES user with the signing CA of that TLS certificate registered, the authentication is successful, and the SCEP client can perform any of the actions that are enabled for that user on the KMES.
The process for authenticating with username and password on the client side is specific to each SCEP client.