Education Center

Simple Certificate Enrollment Protocol (SCEP)

What is SCEP?

Simple Certificate Enrollment Protocol (SCEP) is an open source certificate management protocol to enable easier, scalable and secure certificate issuance. The primary characteristics of SCEP are as follows: 

  • The request/response model is based on HTTP and supports RSA-based cryptography.
  • Requires the use of ‘challenge password’ within the certificate signing request (CSR) which is shared between the server and the requester. 
  • Does not support certificate revocation online, and has limited Certificate Revocation List (CRL) retrieval support. 

How does SCEP work?

  • Gateway API URL: SCEP allows devices to communicate with PKI through API URL, and then the users can put this URL in the mobile device management (MDM) for sending a payload to devices for which the client certificates are to be enrolled.  
  • Shared Secret: A shared secret is a case-sensitive challenge password shared between the SECP server and the certificate authority (CA) to verify the CA with appropriate server for signing certificates. 
  • Certificate Request: After the SCEP gateway is set and the shared secret is exchanged between the server and the CA, a configuration profile is developed to allow auto-enrollment of certificates for managed devices. Once the CA authenticates, the signed certificate is deployed on the device. 
  • Signing Certificate: The MDMs require SCEP signing certificate which is signed by the CA and includes the entire certificate chain of trust (Root CA, Intermediate CA and the signing certificate). 

The SCEP enrollment and usage generally follows this workflow:

  1. Obtain and validate a copy of CA certificate
  2. Generate CSR and send it to CA 
  3. Poll the SCEP server to verify whether the certificate is signed 
  4. Re-enroll for obtaining new certificates before the existing certificate expires 
  5. Retrieve the CRL as needed, the preferred method is via a CRL distribution point (CDP) query

Let’s get you started on your certificate automation journey

Why is SCEP used?

Issuing public key infrastructure certificates requires extensive process of information exchange and approval procedures with a trusted certificate issuing entity or certificate authority (CA). SCEP helps in automating the entire process, thus making it simpler, easier and faster for the IT security teams to enroll and deploy certificates onto devices without any manual process. A device can easily enroll for certificates by using URL and a shared secret to communicate with CA. Mobile Device Management (MDM) systems like Microsoft Intune and Apple use SCEP for enrolling PKI certificates for the increasing number of smartphones and mobile devices.

Comparison between SCEP and other protocols

SCEP v/s EST: The updated version of SCEP is Enrollment over Secure Transport (EST) protocol, which is more secure and uses TLS certificates for client-side device authentication. Both these protocols are used to automate certificate enrollment procedures. The difference lies in the fact that SCEP uses shared secret protocol and CSRs for enrolling certificates, whereas EST uses TLS for authentication and securely transporting messages and certificates. 

SCEP v/s ACME: Automated Certificate Management Environment (ACME) is very similar to SCEP in regard to certificate management. ACME uses key pairs, also referred to as authorization keys, for validating the certificate authority and the organization. The ACME protocol allows the organizations to have their managed devices automatically place request for certificates from the certificate authority. The SCEP protocol is old and more widely recognized, whereas the EST and ACME protocols are relatively new. 

SCEP v/s CMP and CMC: Certificate Management Protocol (CMP) and Certificate Management over CMS (CMC) have structural similarities with SCEP, but these protocols manage different aspects of digital certificates. While SCEP handles the certificate enrollment and issuance, CMP and CMC deal with certificate management, which includes renewal, status and revocation. 

2023 EMA Report: SSL/TLS Certificate Security-Management and Expiration Challenges