SCEP stands for Simple Certificate Enrollment Protocol and is a certificate management protocol that helps IT administrators issue certificates automatically. Public key infrastructure (PKI) certificate issuance requires a process for exchanging information with a trusted Certificate Authority (CA) like Sectigo so that the CA can authenticate that a certificate user legitimately represents the identities and domain name(s) associated with the PKI certificate before issuance is completed. SCEP standardizes that exchange with the CA using a URL and a shared secret, making it faster and easier for IT teams to enroll certificates on devices than communicating this information manually.
SCEP has been around for a long time and has gained significant traction with businesses. As the SCEP protocol has no licensing fees and requires very little time for IT teams to configure and execute, it has become an almost ubiquitous component of enterprise security.
SCEP is commonly applied to a number of certificate use cases. Notably, Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM use SCEP for PKI certificate enrollment on the growing number of mobile devices and smartphones used by business employees. This allows mobile devices to authenticate connections between apps and enterprise systems and resources. Most networking gear, including routers, load balancers, Wi-Fi hubs, VPN devices, and firewalls, also support the SCEP protocol for certificate enrollment.
This protocol is supported on the most common server and device operating systems, including Microsoft Windows, Linux, and Apple iOS and MacOS, as well as directory systems like Active Directory. You can leverage Sectigo’s SCEP server to manage your certificates across all of the device use cases and OS and directory environments you may use in your organization.
While public key infrastructure offers the strongest and easiest authentication and cryptographic solution for digital identity, the complexity and scale of certificate deployment for most enterprises can be a challenge for busy IT teams. Manually deploying and managing certificates is time-consuming and prone to errors. The end-to-end process of certificate issuance, configuration, and deployment can take up to several hours, whether an enterprise is deploying a single certificate for a Wi-Fi router or managing millions of certificates across all networked devices and user identities it supports. As a result, businesses are exposed to unnecessary risk of sudden outages or failure of critical business systems along with breaches and Man-in-the-Middle (MITM) attacks.
Additionally, manual certificate management puts enterprises at significant risk as it increases the likelihood that certificates can be forgotten until expiration or gaps in ownership occur. With the many potential pitfalls inherent in managing PKI certificates manually, enterprises need the automated certificate enrollment standard the Simple Certificate Enrollment Protocol provides to ensure certificates are correctly issued and configured on a large quantity of devices without human intervention. This automation helps reduce risk and allows IT departments to control operational costs.
The SCEP enrollment process standardizes the information exchange with the Certificate Authority required to authenticate the certificate request and to issue the certificate. The key elements of this process are:
Here are the SCEP enrollment process steps to establish automatic certificate enrollment for a typical certificate management platform or MDM:
Then once authenticated by the CA, a signed CA certificate will be deployed onto the device.
When setting up a SCEP server, there are a number of certificate properties that the administrator can set in the certificate configuration profile to customize the SCEP implementation. These include things like the following:
Sectigo recognizes the complexity and scale of most enterprise certificate needs. Enterprises rely on PKI certificates to authenticate and encrypt everything from web servers both in the cloud and on-premises, networked devices, mobile devices, user identities, email systems, network appliances, IoT devices, DevOps environments, digital signatures, and more. As Sectigo offers device certificates that support SCEP in addition to SSL/TLS certificates, Code Signing, S/MIME, and other X.509 certificates that protect critical business systems, enterprises also need a way to automate the end-to-end certificate lifecycle management at scale. Sectigo Certificate Manager supports the SCEP protocol to deliver automated certificate lifecycle management.
Sectigo Certificate Manager (SCM) provides a single-pane-of-glass management interface that seamlessly integrates enterprise device architectures like Microsoft Intune and Apple MDM, speeding and simplifying the discovery, issuance, deployment, and renewal of all certificates. Sectigo Certificate Manager allows you to issue device certificates using SCEP by creating configuration profiles which are pushed to target devices. The configuration profile can be created using software such as the Apple iOS configuration utility.
To issue device certificates through SCEP, you create new device certificate profiles and enable them for SCEP enrollment. Each device certificate profile is assigned with a device Profile ID to identify it when applied to the devices.
The process must meet these prerequisites to succeed:
Typically, the process involves the following:
For a complete guide to SCEP configuration using Sectigo Certificate Manager, go to the Sectigo Knowledge Base and refer to the Sectigo Certificate Manager Administration Guides.
For details on values of parameters to be specified in the configuration profile, contact us