×

Orchestrate your PKI infrastructure and streamline security for your public key certificates.

Learn More


    What is SCEP service? How does SCEP protocol work?

    SCEP Protocol
    14 May 2021

    What is SCEP service? How does SCEP protocol work?

    /
    Posted By

    Read time: 4 minutes

    SCEP is an open-source certificate management protocol that stands for Simple Certificate Enrollment Protocol, automating the task of certificate issuance. Public key infrastructure (PKI) certificate issuance requires a process for information exchange with a trusted Certificate Authority (CA). This is required so that it can authenticate the information provided by the user, like domain name and identities associated with the Certificate. By automating this process, SCEP makes it easy and faster for the IT team to enroll certificates on devices without having to manually exchange the information. Using a URL to exchange information and a shared secret to communicate with the CA, a device can easily enroll for a certificate.

    How does SCEP work?

    1. SCEP URL: The Simple Certificate Enrollment Protocol URL enables a device to communicate with the CA to obtain an enrollment Certificate.
    2. SCEP Shared Secret: A case-sensitive, secure password is used as a SCEP shared secret between the CA and SCEP server to authenticate the identities and domains associated with the CA certificate.
    3. SCEP Certificate Signing Request: After setting up and sharing the SCEP gateway and Shared secret, respectively, users can create and distribute a configuration profile that enables managed devices to auto-enroll for certificates by sending a certificate enrollment request to the CA through the SCEP gateway. A signed certificate will be issued to the device after authentication.
    4. SCEP Signing Certificate: The SCEP signed Certificate is uploaded by Mobile Device Management (MDM), in which the entire certificate chain (Root CA, Intermediate CA, End-entity Certificate) is included.

    SCEP Device Enrollment Process

    The following steps are required for SCEP device enrollment on MDMs:

    1. Add SCEP URL
    2. Add SCEP Shared Secret
    3. Upload the SCEP certificate, which needs to be signed.
    4. Set the SCEP configuration.
    5. Define any application-specific certificate setting.
    6. Specify the device which will receive the certificates.

    After authentication by the CA, a signed certificate will be deployed on the required device.

    SCEP certificate Configuration profile

    While setting up an SCEP server, the Administrator can customize the SCEP implementation by setting up the number of available certificate properties in the certificate configuration profile. The certificate properties are given below:

    • Certificate Template Name
    • Certificate Type
    • Subject Name (this refers to the entity requesting the Certificate, it can be an email id, server name, or IP address of the entity.)
    • Certificate Validity Period (this refers to the time for which the Certificate is valid, if not revoked.)
    • Hashing Algorithm
    • Root CA Certificate
    • Key Usage (this refers to the usage of the key, whether it is for Digital Signature, key encipherment, or both.)
    • Key Size (this refers to the size of the key, for example, 1024-bit or 2048-bit)
    • Subject Alternative Name (this relates to the alternative details of the subject like DNS, URI, UPN, etc.)

    SCEP vs. EST

    EST stands for Enrollment over Secure Transport. It is the evolution of SCEP and uses Transport Layer Security (TLS) for client-side device authentication. Both SCEP and EST are used to automate the Certificate enrollment process, but the difference is that SCEP uses Shared Secret protocol and CSRs for enrolling Certificates, whereas EST uses TLS for authentication. EST uses TLS to securely transport the messages and Certificates, whereas SCEP uses PkcsPKIEnvelope envelopes to secure the messages.

    SCEP vs. ACME

    ACME stands for Automated Certificate Management Environment. Both SCEP and ACME are the same in certificate management. ACME uses key pairs, also known as authorization keys, for validation of the CA and organization. ACME installs the Certificate Management Tool to generate Authorization keys.

    SCEP vs. CMP and CMC

    CMP stands for Certificate Management Protocol, and CMC stands for Certificate Management CMS. Both SCEP and EST are used for enrollment and issuance of Certificates, whereas CMP and CMC are used for Certificate management like renewal, status, and revocation of Certificates.

    Conclusion

    SCEP Gateway API can be used to distribute certificates to every managed device. The SCEP Gateway API enables managed devices to enroll for Certificates on their own easily, but it also increases security risk. Mobile devices that use SCEP for digital certificate enrollment may be susceptible to a Privilege Escalation Attack. EST is the evolution of SCEP, which is more secure and uses TLS for client-side device authentication.

    build your own customized PKI infrastructure.

    Want to learn from PKI Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your PKI services

    Free Downloads for PKI services