What is SCEP?
Simple Certificate Enrollment Protocol (SCEP) is an open source certificate management protocol to enable easier, scalable and secure certificate issuance. The primary characteristics of SCEP are as follows:
How does SCEP work?
The SCEP enrollment and usage generally follows this workflow:
Why is SCEP used?
Issuing public key infrastructure certificates requires extensive process of information exchange and approval procedures with a trusted certificate issuing entity or certificate authority (CA). SCEP helps in automating the entire process, thus making it simpler, easier and faster for the IT security teams to enroll and deploy certificates onto devices without any manual process. A device can easily enroll for certificates by using URL and a shared secret to communicate with CA. Mobile Device Management (MDM) systems like Microsoft Intune and Apple use SCEP for enrolling PKI certificates for the increasing number of smartphones and mobile devices.
Comparison between SCEP and other protocols
SCEP v/s EST: The updated version of SCEP is Enrollment over Secure Transport (EST) protocol, which is more secure and uses TLS certificates for client-side device authentication. Both these protocols are used to automate certificate enrollment procedures. The difference lies in the fact that SCEP uses shared secret protocol and CSRs for enrolling certificates, whereas EST uses TLS for authentication and securely transporting messages and certificates.
SCEP v/s ACME: Automated Certificate Management Environment (ACME) is very similar to SCEP in regard to certificate management. ACME uses key pairs, also referred to as authorization keys, for validating the certificate authority and the organization. The ACME protocol allows the organizations to have their managed devices automatically place request for certificates from the certificate authority. The SCEP protocol is old and more widely recognized, whereas the EST and ACME protocols are relatively new.
SCEP v/s CMP and CMC: Certificate Management Protocol (CMP) and Certificate Management over CMS (CMC) have structural similarities with SCEP, but these protocols manage different aspects of digital certificates. While SCEP handles the certificate enrollment and issuance, CMP and CMC deal with certificate management, which includes renewal, status and revocation.