How to extract CA and Decrypter certificates from a SCEP CA endpoint

Every SCEP CA endpoint serves its CA and Decrypter certificate bundle via the GetCACert command that SCEP clients use when connecting.

This is a simple HTTP GET request, so we can use a bash script to extract the certificate bundle:

  #!/bin/bash
  # Usage: ./get-scep-ca.sh <scep-endpoint-url> <ca-bundle.pem>
  # Example: ./get-scep-ca.sh <https://agents.voyager.ca.smallstep.com/scep/integration-jamf-9b7d6087> /path/to/ca.pem

  set -euo pipefail

  url="${1:?Usage: $0 <scep-endpoint-url> <ca-bundle.pem>}"
  cacert="${2:?Usage: $0 <scep-endpoint-url> <ca-bundle.pem>}"
  output="scep-ca-cert.pem"

  curl -s --cacert "$cacert" "${url}?operation=GetCACert" \\
    | openssl pkcs7 -inform DER -print_certs \\
    > "$output"

  echo "Saved to $output"
  openssl x509 -in "$output" -noout -subject -issuer

Output:

  $ ./get-scep-ca.sh <https://agents.voyager.ca.smallstep.com/scep/integration-jamf-9b7d6087> intermediate-ca.pem
  Saved to scep-ca-cert.pem
  subject=CN=Decrypter
  issuer=CN=Smallstep (Voyager) Agents Intermediate CA

The decrypter cert can then be externally validated and monitored as needed.