What is SCEP service? How does SCEP protocol work?
Read time: 4 minutes
SCEP or Simple Certificate Enrollment Protocol, is an open-source certificate management protocol that stands for , automating the task of certificate issuance. Public key infrastructure (PKI) certificate issuance requires a process for information exchange with a trusted Certificate Authority (CA). This is required so that it can authenticate the information provided by the user, like domain name and identities associated with the Certificate. By automating this process, SCEP makes it easy and faster for the IT team to enroll certificates on devices without having to manually exchange the information. Using a URL to exchange information and a shared secret to communicate with the CA, a device can easily enroll for a certificate.
How does SCEP work?
- SCEP URL: The Simple Certificate Enrollment Protocol URL enables a device to communicate with the CA to obtain an enrollment Certificate.
- SCEP Shared Secret: A case-sensitive, secure password is used as a SCEP shared secret between the CA and SCEP server to authenticate the identities and domains associated with the CA certificate.
- SCEP Certificate Signing Request: After setting up and sharing the SCEP gateway and Shared secret, respectively, users can create and distribute a configuration profile that enables managed devices to auto-enroll for certificates by sending a certificate enrollment request to the CA through the SCEP gateway. A signed certificate will be issued to the device after authentication.
- SCEP Signing Certificate: The SCEP signed Certificate is uploaded by Mobile Device Management (MDM), in which the entire certificate chain (Root CA, Intermediate CA, End-entity Certificate) is included.
SCEP Device Enrollment Process
The following steps are required for SCEP device enrollment on MDMs:
- Add SCEP URL
- Add SCEP Shared Secret
- Upload the SCEP certificate, which needs to be signed.
- Set the SCEP configuration.
- Define any application-specific certificate setting.
- Specify the device which will receive the certificates.
After authentication by the CA, a signed certificate will be deployed on the required device.
SCEP certificate Configuration profile
While setting up an SCEP server, the Administrator can customize the SCEP implementation by setting up the number of available certificate properties in the certificate configuration profile. The certificate properties are given below:
- Certificate Template Name
- Certificate Type
- Subject Name (this refers to the entity requesting the Certificate, it can be an email id, server name, or IP address of the entity.)
- Certificate Validity Period (this refers to the time for which the Certificate is valid, if not revoked.)
- Hashing Algorithm
- Root CA Certificate
- Key Usage (this refers to the usage of the key, whether it is for Digital Signature, key encipherment, or both.)
- Key Size (this refers to the size of the key, for example, 1024-bit or 2048-bit)
- Subject Alternative Name (this relates to the alternative details of the subject like DNS, URI, UPN, etc.)
SCEP vs. EST
EST stands for Enrollment over Secure Transport. It is the evolution of SCEP and uses Transport Layer Security (TLS) for client-side device authentication. Both SCEP and EST are used to automate the Certificate enrollment process, but the difference is that SCEP uses Shared Secret protocol and CSRs for enrolling Certificates, whereas EST uses TLS for authentication. EST uses TLS to securely transport the messages and Certificates, whereas SCEP uses PkcsPKIEnvelope envelopes to secure the messages.
SCEP vs. ACME
ACME stands for Automated Certificate Management Environment. Both SCEP and ACME are the same in certificate management. ACME uses key pairs, also known as authorization keys, for validation of the CA and organization. ACME installs the Certificate Management Tool to generate Authorization keys.
SCEP vs. CMP and CMC
CMP stands for Certificate Management Protocol, and CMC stands for Certificate Management CMS. Both SCEP and EST are used for enrollment and issuance of Certificates, whereas CMP and CMC are used for Certificate management like renewal, status, and revocation of Certificates.
SCEP Gateway API can be used to distribute certificates to every managed device. The SCEP Gateway API enables managed devices to enroll for Certificates on their own easily, but it also increases security risk. Mobile devices that use SCEP for digital certificate enrollment may be susceptible to a Privilege Escalation Attack. EST is the evolution of SCEP, which is more secure and uses TLS for client-side device authentication.