SCEP server for (macOS & iOS) clients

RouterOS General
1

I have a CA and a SCEP server:

Columns: NAME, COMMON-NAME, SKID
#      NAME         COMMON-NAME  SKID                                    
0 KA T ca.boehm.gl  ca.boehm.gl  41f2a2a9e728b433f3852a38faf0bb9ac50af52f
1 K I  testcert     testcert     1e0a76878a5145f948a633fc74065b8f6568fda5

/certificate scep-server
add ca-cert=ca.boehm.gl path=/scep/boehm

I can request a certificate via command line:

./scepclient -private-key my.key -certificate my.pem -server-url=http://scep.boehm.gl:8123/scep/boehm -country=at -organization=boehm -ou=it -cn=myname

Here the log of tis positive request:

11:06:31 certificate,debug,packet server recv: GET /scep/boehm?operation=GetCACert
 11:06:31 certificate,debug GET GetCACert
 11:06:31 certificate,debug,packet server recv: GET /scep/boehm?operation=GetCACaps
 11:06:31 certificate,debug GET GetCACaps
 11:06:31 certificate,debug,packet server recv: POST /scep/boehm?operation=PKIOperation
 11:06:31 certificate,debug,packet  data: 308209c806092a864886f70d010702a08209b9308209b50201013109300706052b0e03021a3082046b06092a864886f70d010701a082045c048204583082045406092a864886f70d010703a0820445308204410201003182018830820184020100306e3062310b3009060355040613024154310c300a06035504080c034e4f453112301006035504070c09506179657262616368310e300c060355040a0c05626f65686d310b3009060355040b0c0249543114301206035504030c0b63612e626f65686d2e676c0208678249f0c6cd9792300b06092a864886f70d010101048201009c73a6df37876ea8d64bd2711d408d5c662a56e56aa936404e62a795172d
 11:06:31 certificate,debug,packet eaf14b0d416b8b75f5d8c1cf8b623e86a4bd346b2a5c480b5d731c12b8d4bb46ba6a92a5761352414d72562f488e9d87d1314cbfeba2969b720f05785113d9fae56cc3a26f86c71699429d0652c32a417c2d38bcd534b7405062e56f99f0b14e68eea8123e7a7dad5b35b0740e49adc1e3fa8dad1971c25cd9c9579c4fcb6bdbc0266f5c5523e6fe33998d57da1808c876bd10c8b3f65de35ad113e50fe9cf902a09d3e6ee7e964cb45b6ec897b5982ba8659600decb2270e00b51bd26bb1eb38fbc398fa0aa81d90faf07350fb96fddc509227f2d04fa0ebd73b0c219899faaf776308202ae06092a864886f70d010701301106052b0e03020704086dce4567
 11:06:31 certificate,debug,packet 481fa144a082028c04820288c2f5251a5d2a71d9fb5e9ee83e22045eb66a8fc7c7bf92348b788b519d72f964941940e01838d4efa4594093491ae4b2b84b0fb66cedc295c46b479bd03189ac0a5f64c18e462792cc6ae1440b42992c22d622577e4f172b42dd448a75641bdf7f0f0d6e0f54b1c29c42be75db09bfa67e4feebb10cfd1be873ada828b5ef3a14a5ca82947088b38efa138bf9cc14475ee0b9e0e1a3840150472cfeec9e5f92b436ff2f9472d0cf3e022f8591795e6ce00f1fb5e83c9bf8c173814b6774b55b36157bd0f37f9141841477f790227828c722f7a2d6ae4c8ad5df5dc33590a3964b469cda689e2847ed54eccbd54d9bf310aa79958
 11:06:31 certificate,debug,packet 64de7bbfb80fd56be41ec4149ec499df4c0871418396e6e2679d512492e75df438ad13674420e71627d8efe3fa798ff5f3c2c958d027277906c2b71ede5ec20930efdd124d68638be051e493b770dc72f1e5df8eaa040337561cc37b2567a941c4634a316f182c2e3644b445f3f320685f9c2780ccba5164a8acd2c8772d562bf12dee5d8e63e5c9295520005039b50757305fc2082ce584bc4d667a82ab0d8963ef394cc95b9beaf554fec52a35f66c9435962deda5d2b1296c4d28befde0c9ddc35fd81bdc7ad56c5882352e37ab251b1db7a7c806114fbe1f998665690927540e6fe0f92aaf8ba70f96e67c997efbf73f85e76fd8296eae6019d79b5ed2ed
 11:06:31 certificate,debug,packet 1dda1d6cd36a8836ffcb57abb24ed82885f2942a506457b4292a7ac3350431510ec77d2c9be03c14df3153143cbe0934f22216c3e75d385eb3f2739f2c765f34b744fdf643a7bf84a1aaae47bbfb66e7e288dbe0f63b92e8544e41eb14ce66a04f3282a411cf1b28b68b835026f99647c795223a04b2fbd02a27beaf43fcecee267f0069623834123235bd23f02507fb9a35a671a082030f3082030b308201f3a003020102021040575c4134458ae761064dca1a7bfd7f300d06092a864886f70d01010b05003026310e300c060355040a1305626f65686d311430120603550403130b53434550205349474e4552301e170d3233303732373039303633325a17
 11:06:31 certificate,debug,packet 0d3233303732373130303633325a3026310e300c060355040a1305626f65686d311430120603550403130b53434550205349474e455230820122300d06092a864886f70d01010105000382010f003082010a02820101009862d346424e9dddb48eb6efcc7060b3db70a5390c354bba4a4955eccf244c5c9b25a37dd540b9725fb0d1f28dcb5e23553a21bf09c212f7c7bcd7604d7c1dde9bfdeaf14ba58c97ee367b1d693d2507abfca63662752703b6412226e19e2ecee42d775edafa7f980078d7f066ff8de6c5d6aa297979a3e99d73f3ba213b180e6021c82864953fe800eeaf4f672355533bdf2833d0fd769c82a7e2c22d60c680ffb95319edae7414ae
 11:06:31 certificate,debug,packet af1dfb5bbcb48f39af7e2ef5675d46624c2c84633b50f4c555ba67278773dfac94599bed4cfa787ac67b8ed6e93eb6ac5b2b3794aece9e9a53cf610b6332b1ce1a30aff93f6d5fdd7399f6264d3bd528815f3e612f6e770203010001a3353033300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300d06092a864886f70d01010b05000382010100525ef2081fc02e82dbb8c1abf98c653b1979f62b438944081e6b1f0699d50949d5ded08fc4f7c020d7885d379c29d1b12f7918ee4a7aae121444da89571119d227c1cf01bd5766a7d03411fbb2a596c59cef5ead93eeefab9d
 11:06:31 certificate,debug,packet 0f892d99cc7d169978c01136c2ea88dbb2ec22fb40484dcd183f5ead684ae96a1fdda8ebcb691292abe576fa04a6255c5460de0176ef95ab178e3656567bdf38694adc01a7b2ae5f2ac9a4abe936cfcfd89ff65427f59cee07ccd955fd6fb8ddc4d8f64880bd191a4ecc64ca844f5f42286ac8d24f2fe6ee42c2042cda9255a1bd531fb2ab21f034ca74f3bc626258144c4fc29f8fa87a54b9b9a3f933941762a5d133da703238318202213082021d020101303a3026310e300c060355040a1305626f65686d311430120603550403130b53434550205349474e4552021040575c4134458ae761064dca1a7bfd7f300706052b0e03021aa081c13012060a6086
 11:06:31 certificate,debug,packet 480186f845010902310413023139301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3233303732373039303633325a3020060a6086480186f8450109053112041038a1ee7247eb691d94053ded009b0d8c302306092a864886f70d010904311604140e059bd226cb571ada20417f94d6627d7893b768302c060a6086480186f845010907311e131c6a764c4d68445249675a32675556317a55517158475a36334831593d300b06092a864886f70d0101050482010012fae8f63eb210e04accb21404cba3d9ab06b9a075bed4a5eec23a25e844bc62b8220111f838efea7e7edfcbbaef3fa77190a3e1
 11:06:31 certificate,debug,packet f92ab292cb0b8308e7285ce3ac45a9fb1dae1d29cea3e1b809a36ce4fca2ac9d6c74750c275d473f1cdb04e9013f4a5a51a920f8450b0f3363f1f00d05cc58f7ed9f3f71adf4c05fe9beb9353c166f2b0eec53f3a0a49fe0d5011d6259415723c3c4e99376e2f532babd49716fc43245375fdd44c56d38229dff646342b302f07157b844aa20f195275254d9d63cf9c036e67600b4024c70c1faae4282e12167a4340c33193b15c01ca693234950b07d61cfbd1930fc31b9fb430b11ae67a44b43d831a10777ba970b4ed0b0
 11:06:31 certificate,debug POST PKIOperation
 11:06:31 certificate,debug signer:
 11:06:31 certificate,debug  issuer: O=boehm,CN=SCEP SIGNER
 11:06:31 certificate,debug  subject: O=boehm,CN=SCEP SIGNER
 11:06:31 certificate,debug,packet decoding message type: PKCS#10 request (19)
 11:06:31 certificate,debug,packet transaction: jvLMhDRIgZ2gUV1zUQqXGZ63H1Y=
 11:06:31 certificate,debug,packet sender nonce: 38a1ee7247eb691d94053ded009b0d8c
 11:06:31 certificate,debug recipient:
 11:06:31 certificate,debug  issuer: C=AT,ST=NOE,L=Payerbach,O=boehm,OU=IT,CN=ca.boehm.gl
 11:06:31 certificate,debug  serial: 678249F0C6CD9792
 11:06:31 certificate,debug content ok
 11:06:31 certificate,debug signer uses self signed cert
 11:06:31 certificate,debug addressed to current CA
 11:06:31 certificate,debug transaction not authorized: jvLMhDRIgZ2gUV1zUQqXGZ63H1Y=
 11:06:31 certificate,debug,packet encoding message type: certRep (3)
 11:06:31 certificate,debug,packet status: pending (3)
 11:06:31 certificate,debug,packet transaction: jvLMhDRIgZ2gUV1zUQqXGZ63H1Y=
 11:06:31 certificate,debug,packet sender nonce: 467e331e9a21ed1d4f4d1176a4273c4d
 11:06:31 certificate,debug,packet recipient nonce: 38a1ee7247eb691d94053ded009b0d8c

If I put the SCEP Info in a MDM Profile for macOS & iOS
(part of the profile) :

<key>PayloadContent</key>
<dict>
	<key>Name</key>
	<string>ca.boehm.gl</string>
	<key>Retries</key>
	<integer>10</integer>
	<key>RetryDelay</key>
	<integer>30</integer>
	<key>Subject</key>
	<array>
		<array>
			<array>
				<string>C</string>
				<string>at</string>
			</array>
		</array>
		<array>
			<array>
				<string>O</string>
				<string>boehm</string>
			</array>
		</array>
		<array>
			<array>
				<string>OU</string>
				<string>it</string>
			</array>
		</array>
		<array>
			<array>
				<string>CN</string>
				<string>anothername</string>
			</array>
		</array>
	</array>
	<key>URL</key>
	<string>http://scep.boehm.gl:8123/scep/boehm</string>
</dict>
<key>PayloadType</key>
<string>com.apple.security.scep</string>

and let the built in (macOS & iOS ) mdmclient do that request it fails with:

 11:09:58 certificate,debug,packet server recv: GET /scep/boehm?operation=GetCACert&message=ca.boehm.gl
 11:09:58 certificate,debug GET GetCACert
 11:09:58 certificate,debug,packet server recv: GET /scep/boehm?operation=GetCACaps&message=ca.boehm.gl
 11:09:58 certificate,debug GET GetCACaps
 11:10:00 certificate,debug,packet server recv: POST /scep/boehm?operation=PKIOperation
 11:10:00 certificate,debug,packet  data: 308006092a864886f70d010702a0803080020101310f300d06096086480165030402030500308006092a864886f70d010701a080248004820490308006092a864886f70d010703a08030800201003182018a30820186020100306e3062310b3009060355040613024154310c300a06035504080c034e4f453112301006035504070c09506179657262616368310e300c060355040a0c05626f65686d310b3009060355040b0c0249543114301206035504030c0b63612e626f65686d2e676c0208678249f0c6cd9792300d06092a864886f70d0101010500048201009cee7aeebb986aff7b74074cbbdbc8d82b6f13744ed0352c2527e8c8557e15a8809c9945
 11:10:00 certificate,debug,packet 28f1945c746e72c576c1779827b6bc21908614d439d00ef3caa7322167734aa7c5a7e6af604ff4fc2dcd1972f081fe0dae4ad69a6ee79be1a6b8bb5904f7a337708ba032005e55edef4749da27c3efedfd7c8ba74a5d45985e81693dc383425f4d22903609e2f51c970f637c9a78add2355609ad796e016491652426178e0aa2b262bf934e7ad74d43f241b2170d920070373fcc9bb37157f225dff773c14d297197a9c5dc9f9f8d20a31426182775a6f0c48b7ac972efcaa30fdc8dbbeffdce053f2a41ed28157d2ff1584a4226b493e0561a0a9900fea7f907548d308006092a864886f70d010701301d060960864801650304010204102eb1adfe5f865b32
 11:10:00 certificate,debug,packet 97918ac42143413ea080048202a0558dcbe16073e18cdbf9d901e6f647c79619bb3bd446d68891aaa49b97b7deef16de8da92eeebc085d99486b02b9b43e9b8d0d72dcb7d688c914e72c7f517dc1b025a74ca5f61b6704afca1c3eea639dcdcd37896a532a48d7f464db7f615ff64899ec57905c89aa7b5aebefe5260a2420d057785d4ceaf1b99ea12e6483b81e4d5a32f8da34fb0347e8f89315f5e00fc8d7f254368efe4f016f0432da26844d2e18cd3549bba6766ad53bdefe13006d5ff9badeb976dfb4651c1dc09191dc6d5438433d6dfd01e909638b1373fabdcc751fcd4511541a43821932feff3be103150bf2d7da36736a41a80fa4078d8bded645
 11:10:00 certificate,debug,packet 0daf976d9a8fefd8351cfb067ba23a183e740257e58ff7d5182d0c8adc2d13b4a43d955ae0499e1e996a70dab11160115149f982142894e4c75c4db00ee6ad470790072737c27485a39ede87c798b9ff1986c2469bc433d7b92911cfacaef3b0365872d7562d39b6b9053c9770475451116048a56fed8989d130bc1454f96a955ddffa072cd7bc28029a005d17f3a7f5dfec09bf281f9caff1dde677ee5c2319a1505767353d060d75cde897ba133835f7ee1846c210371330e49990cd07a6340e5aabf5bd5591e8d710e590f424545665ad01def4bd93cc41b1f8b4aecd0212dc1ea8e07b38d6e6e67427011b51c745b2093ebab469291035dca8aac7242277
 11:10:00 certificate,debug,packet 08bb1e2ec4123a7b9d0d78fa5b11f65b9d9c03ffe9cd37ccff1b9da5cd66845377426ac4ac60ad7527cdaaa240cb4b87b1fb5d9bf22c51b04cfbfe9f5d8783777c20cd1e04439288ff224eefd074505d978dbc49684b0694b52db2ba211b9af2cd7f387c667257d6421981e7582e599b675feb466a6da1b988e4a94299066b1e1f3f9adcf8087511e5b28c0d9313561488ed3669ab8f72d55adbe60e13a4eab061094e07b606da4730d84facf04204108bc60b9746dab9bfe80944ebc0935bfd00000000000000000000000000000000a08203603082035c30820244a003020102020101300d06092a864886f70d01010b0500304c313d303b06035504030c34
 11:10:00 certificate,debug,packet 4d444d2053434550205349474e45522032433738393637432d383131352d343332412d424236322d444432373644304635464334310b3009060355040613024154301e170d3233303732373039313030315a170d3234303732363039313030315a304c313d303b06035504030c344d444d2053434550205349474e45522032433738393637432d383131352d343332412d424236322d444432373644304635464334310b300906035504061302415430820122300d06092a864886f70d01010105000382010f003082010a0282010100dbe19763e5b5719c68d3c0e0be1220ee60f81e130c5272b46c7a7181fe3633ad72393f07ae37aed426a8f22342480655
 11:10:00 certificate,debug,packet d24e5d6ada6c51b54f659ab99e3ed8faf2c91e8d649a1b10378c3f86f3545291549bcb1336d6f6534b8e05d9a65f174946003070b5a19dd0ef3be3b2ea598482f089385a1b6f4d13dc6167f1dd72962b1df5c0aa6ef63b8a0b974f076a5580e2d3aea65d59baa64bed522aa63f66ae12610d16b2971d20b305756d7e36a8b28787c514684d5c24b19b2248dc49831157d09334a80ae5e427c260a6932b6927a8cc39e1315f05376366dea7ed12e24c350d6535c5e1f13879489b885550267ca53f136d650a93c156b3284b8b39962f070203010001a3493047300e0603551d0f0101ff0404030205a030160603551d250101ff040c300a06082b060105050703
 11:10:00 certificate,debug,packet 02301d0603551d0e04160414b39abe8293d7e50c799702a964c19aa3bdad8299300d06092a864886f70d01010b050003820101000593bd0294ead0307171e601e4f4a16031b9520a14266d5228627583337ab246f3943fefd943eb5cba9f91a8fd7b636d597d9a03066ac1d14a153da86ecba8d43114724357b8a8edd929227525b720b48867f11c26e02edcdf5c96c3a46814d7f7704a4df02d6562369ff22b9dd560ac18798bd937f850318fe13c8b9babb4bacef1aa9d00273f02ca9ecfb85f28bd1e91d586b84c99812685e6a6ab232a364f0e7cdd5d1e1229cc00a71eb38129ff71b5e2226ae154cdc7aa7c542192d818228c6aac09f719bb15d11dadf6
 11:10:00 certificate,debug,packet 36a4da7e10de1fd667cd0b6bc4394a88feb6775d0f3eb9aa6ec3e096bb995ef17ef142a9b313a63968877dd8b0b2adec273c506231820278308202740201013051304c313d303b06035504030c344d444d2053434550205349474e45522032433738393637432d383131352d343332412d424236322d444432373644304635464334310b3009060355040613024154020101300d06096086480165030402030500a081f93012060a6086480186f845010902310413023139301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3233303732373039313030315a3020060a6086480186f8450109053112
 11:10:00 certificate,debug,packet 041095e3a7df2dcda0e1eea5e172332f7ac83038060a6086480186f845010907312a132832414532464337423431393734453234364331374244344432443232383033353834383637313746304f06092a864886f70d0109043142044013abc782fa567b4a0834876c8900ee91fe13882714ea4a3834b591fc9623adf03d8d7755a746a97d94740adf154847f393e2807b14e4426b8c3822c219f1d08f300d06092a864886f70d01010d050004820100c4c1739c396645888dcd5f33e770c9d2f0c0c88587913975d150a9ec10265c35d213d0b04ca6b716058821d34208bee92dcffd2107533a4f6246b360d3c2640fb284b85f3bad870e2230666a13d34bb2
 11:10:00 certificate,debug,packet dda03a31f9f1b1606e40351721d7718370aabe82a1b69d2ac405257e6e086a7a1458b69e2cd6b8a3f7df3afb024d6f0771ac4c82b59e41be91e87341d8bc128b038e326e9e3dd081e83dc3dcb3a3139ffaee38344dc52aba1faebef1c803a4a6bd1e5584b52c815d026a97fbdfecc517098e4cba3f3e753ca4547ac57e3e01746d295c3965ca4c18a1885aade20c951decdec0cd7f0b075f6840f799e639bbaff6b0cc1ad51ed54403207b8b5d3ae29e000000000000
 11:10:00 certificate,debug POST PKIOperation
 11:10:00 certificate,debug signer:
 11:10:00 certificate,debug  issuer: CN=MDM SCEP SIGNER 2C78967C-8115-432A-BB62-DD276D0F5FC4,C=AT
 11:10:00 certificate,debug  subject: CN=MDM SCEP SIGNER 2C78967C-8115-432A-BB62-DD276D0F5FC4,C=AT
 11:10:00 certificate,debug content digest mismatch
 11:10:00 certificate,debug signature verify failed

if I retry that, we can see that the SIGNER is a random UUID that differs on every try:

 11:15:56 certificate,debug signer:
 11:15:56 certificate,debug  issuer: CN=MDM SCEP SIGNER FDD742F3-5D84-41D1-964A-A20420573E04,C=AT
 11:15:56 certificate,debug  subject: CN=MDM SCEP SIGNER FDD742F3-5D84-41D1-964A-A20420573E04,C=AT
 11:15:56 certificate,debug content digest mismatch
 11:15:56 certificate,debug signature verify failed

]11:16:45 certificate,debug signer:
 11:16:45 certificate,debug  issuer: CN=MDM SCEP SIGNER EDDA4899-1DA3-4B77-83FE-5650075F3EE5,C=AT
 11:16:45 certificate,debug  subject: CN=MDM SCEP SIGNER EDDA4899-1DA3-4B77-83FE-5650075F3EE5,C=AT
 11:16:45 certificate,debug content digest mismatch
 11:16:45 certificate,debug signature verify failed

Now my questions:

Can I configure the scep-server to ignore that “content digest mismatch” ?
Can the scep-server leverage a pre-shared secret ?
Cat I configure the scep-server to auto accept a request? or trigger a script per request, where I can verify and accept/deny that request via the script?

In general, a documentation how to setup the scep-server in order to support macOS / iOS (or even Windows) clients would be great.

Background - what do I want do achieve?

  • I want my client machines to get (themselves / triggered via MDM ) a certificate via scep


  • then radius should trust those certificates


  • and finally WIFI leverage wpa enterprise (EAP-TLS)
2

Unfortunately I can’t help you but I face exactly the same problem as you (trying to achieve the same end goal).

The only thing I managed to do was to convert the packet dump data from the logs into a binary PKCS#7 file and confirm it’s just a regular self-signed cert by the MDM SCEP SIGNER issuer (random ID, as you described). But OpenSSL has no issue decoding it. I couldn’t find why Mikrotik will complain about it.

3

I tried this on 7.20beta4 and still does not work.

Has any been successful with RouterOS SCEP Server with request coming a Apple device (i.e. via a .mobileprofile file)?

Apple is able to get the RootCA. But when it provides the cert request, RouterOS rejects with HTTP 406 (Not acceptable). RouterOS logs show a content digest mismatch follow by signature verify failed — with no additional details other those message.

In my case the signing issuer and subject matched according the logs.

Screenshot 2025-06-26 at 9.04.00 AM
Screenshot 2025-06-26 at 9.04.00 AM1266×290 36 KB

Screenshot 2025-06-26 at 9.04.31 AM
Screenshot 2025-06-26 at 9.04.31 AM882×260 34.8 KB

LMK know if in the intervening year, someone got this work. Now I have not tried older version – only 7.19.2 and 7.20beta4… . But if someone knew it was working in some version that be good to know.