What Is a SCEP Server?
Defining the SCEP Server. How Does SCEP Protocol Work?
This post is also available in: Danish
SCEP is designed to make digital certificates issuing as scalable as possible, therefore making it easier for any standard network user to be able to request their digital certificate electronically and as simply as possible, whilst not putting a lot of pressure on the network administrators.
What Is SCEP?
Simple Certificate Enrollment Protocol is used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation towards everyday users, as well as being referenced in other industry standards.
SCEP is the most popular tested certificate enrollment protocol and the most widely used, with most PKI software supporting it, including the Network Device Enrollment Service of Active Directory Certificate Service.
The Importance of Having SCEP
Simple Certificate Enrollment Protocol is usually applied to a number of certificate use cases, with Mobile Device Management (MDM) systems like Microsoft Intune and Apple MDM using it for PKI certificate enrollment on mobile devices and smartphones used by businesses employees.
This way, mobile devices are able to authenticate connections between apps and enterprise systems and resources.
Why you should use SCEP?
Public key infrastructure offers the strongest and easiest authentication and cryptographic solution for digital identity but the complexity and scale of certificate deployment for most enterprises can become a challenge for the IT teams.
To manually deploy and manage certificates is time-consuming and can lead to errors, with the end-to-end process of issuing, configuring, and deploying a certificate taking up to several hours. Lack of time and the use of public infrastructure are leaving businesses exposed to unnecessary risk of sudden outages or failure of critical business systems along with breaches and MITM attacks.
How does SCEP works?
SCEP is instructing the devices how to communicate with the PKI, through the use of a Gateway API URL, therefore allowing customers that are using SecureW2 to easily generate a SCEP Gateway API URL with our software. Then, they can put this URL in their MDM so it can send a payload to devices they want to enroll themselves for client certificates.
SCEP Shared Secret
Shared Secret represents a case-sensitive password entrusted between the SCEP server and Certificate Authority (CA), with the purpose of verifying the CA with the right server for signing certificates.
SCEP Certificate Request
When the SCEP gateway is set up and the Shared Secret is shared between the SCEP server and CA, you can create and distribute a configuration profile that will allow managed devices to auto-enroll for certificates, by sending a certificate enrollment back through the SCEP gateway to the CA in order to deploy onto the device the signed certificate.
SCEP Signing Certificate
Most MDMs require you to upload a SCEP signing certificate, signed by the CA issuing certificates, that includes the entire certificate chain (signing certificate, Intermediate CA, Root CA).
Simple Certificate Enrollment Protocol Integration
Microsoft WSTEP Protocol
Developed by Microsoft, the WS-Trust X.509v3 Token Enrollment Extensions Protocol (WSTEP) has the same basic premise as SCEP; creating a secure connection between MDM and devices for sending data. While SCEP works for most MDMs, it does not work for Microsoft GPO.
Integrating SCEP and Microsoft Intune
While Microsoft GPO may not natively support SCEP, Microsoft Intune can be configured to distribute certificates with SCEP. Through the gateway, devices can receive configuration profiles so they can request to enroll themselves for certificates.
Configuring Intune to work with SCEP is quite similar to how most MDMs use our SCEP Gateway API.
Certificate Device Wi-Fi Authentication
SCEP automates the certificate enrollment process, so authenticating is streamlined, therefore saving a lot of time and resources for many organizations with MDMs, using an Extensible Authentication Protocol (EAP-TLS).
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
It is well-known that manual certificate management puts enterprises at significant risk by increasing the likelihood in which certificates can be forgotten until expiration or gaps can occur in their ownership.
With too many potential pitfalls when managing PKI certificates manually, enterprises should automate the certificate enrollment standard.
Simple Certificate Enrollment Protocol is a good way to make sure that certificates are correctly issued and configured on a large number of devices without human intervention. This automation helps reduce risk and allows IT departments to control operational costs.