SCEP

What is SCEP?

Simple Certificate Enrollment Protocol (SCEP) is an open source certificate management protocol to enable easier, scalable and secure certificate issuance. The primary characteristics of SCEP are as follows:

  • The request/response model is based on HTTP and supports RSA-based cryptography.
  • Requires the use of a challenge password within the certificate signing request (CSR) which is shared between the server and the requester.
  • Does not support certificate revocation online, and has limited Certificate Revocation List (CRL) retrieval support.
Note: AppViewX does not inherently rely on Network Device Enrollment Service (NDES); instead, it uses its own built-in server for the SCEP protocol. This gives AppViewX the advantage of seamlessly integrating with any Certificate Authority, unlike NDES, which is primarily tied to Microsoft Active Directory Certificate Services (ADCS).

How does SCEP work?

  • Gateway API URL: SCEP allows devices to communicate with PKI through API URL, and then the users can put this URL in the mobile device management (MDM) for sending a payload to devices for which the client certificates are to be enrolled.
  • Shared Secret: A shared secret is a case-sensitive challenge password shared between the SCEP server and the certificate authority (CA) to verify the CA with the appropriate server for signing certificates.
  • Certificate Request: After the SCEP gateway is set and the shared secret is exchanged between the server and the CA, a configuration profile is developed to allow auto-enrollment of certificates for managed devices. Once the CA authenticates, the signed certificate is deployed on the device.
  • Signing Certificate: The MDMs require SCEP signing certificate which is signed by the CA and includes the entire certificate chain of trust (Root CA, Intermediate CA and the signing certificate).

The SCEP enrollment and usage generally follows this workflow:

  1. Obtain and validate a copy of CA certificate.
  2. Generate CSR and send it to CA.
  3. Poll the SCEP server to verify whether the certificate is signed.
  4. Re-enroll for obtaining new certificates before the existing certificate expires.
  5. Retrieve the CRL as needed, the preferred method is via a CRL distribution point (CDP) query.

Why is SCEP used?

Issuing public key infrastructure certificates requires an extensive process of information exchange and approval procedures with a trusted certificate issuing entity or certificate authority (CA). SCEP helps in automating the entire process, thus making it simpler, easier and faster for the IT security teams to enroll and deploy certificates onto devices without any manual process. A device can easily enroll for certificates by using URL and a shared secret to communicate with CA. Mobile Device Management (MDM) systems like Microsoft Intune and Apple use SCEP for enrolling PKI certificates for the increasing number of smartphones and mobile devices.

The SCEP protocol services can be configured in AppViewX to enable the communications between the client (device endpoints) and AppViewX northbound services that processes the client requests such as certificate enrollment and renewal. Once the protocol service gets enabled, AppViewX will act as an RA in receiving and serving the client requests. The protocol must be enabled as an HTTP service.

What's Next?