Introduction


Simple Certificate Enrolment Protocol (SCEP) is a protocol for certificate enrolment, certificate renewal, certificate and CRL queries for the infrastructure devices (e.g. routers, switches, firewalls, VPN devices etc.) in a closed PKI environment. SCEP is a protocol originally developed by Cisco and is documented in an Internet Engineering Task Force (IETF) Draft. A very good article is available at Cisco website and it explains the SCEP working in the deeper level. We recommend you to study the  following articles if you are not very well familiar with the SCEP protocol:



Web RA provides the feature to use SCEP so that infrastructure devices can be enrolled and managed through a single Registration Authority of the Web RA.

How it works?


Enrolment and usage of SCEP generally follows this work flow:


  1. Obtain a copy of the Certificate Authority (CA) certificate and validate it.
  2. Generate a CSR in the device and send it securely to the CA.
  3. Poll the SCEP server in order to check whether the certificate was signed.
  4. Re-enrol as necessary in order to obtain a new certificate prior to the expiration of the current certificate.
  5. Retrieve the CRL as necessary.


The device enrolment in Web RA requires the following configurations:


  1. Device Enrolment configuration is done to enable the SCEP service in the Web RA.
  2. The configuration required SCEP Server PFX and its password, SCEP Server Certificate, SCEP Server Web RA URL and Challenge type.
  3. Web RA SCEP Server starts working after the configurations by processing the requests coming from the infrastructure devices.


Device Enrolment Configuration


Field

Description

Enable Simple Certification Enrolment Protocol (SCEP)

Enable this checkbox to enable the SCEP functionality

SCEP Server Encryption Auth Key (PFX)

When the GetCACert request is issued by the devices, the certificate is returned to the device. This certificate will be used to encrypt the communication between the device and the RA application.

Note that once the SCEP option is enabled, it will be available for every user in each enterprise and they can use SCEP to get the device certificates from the Web RA Web portal

SCEP Server Encryption Auth Key (PFX) Password

Password to decrypt the key so that application can use this key

Challenge Type

The SCEP provides an additional layer of security using the challenge value. The device puts this challenge in the device CSR and the Web RA verifies this challenge as part of request validation. There are three challenge password options available as following:

  • None - No challenge password is required in the CSR request from the device
  • Fixed - When this option is used, the administrator sets the fixed challenge password. This challenge password will be used for each device in each enterprise. In short, this is the application level challenge password for each registered device
  • Random - The SCEP Server generates a unique challenge password for each device when a device is registered in the Web RA Web and the device must have to pass this password in the request to get the certificate

SCEP URL

This is the SCEP URL that the devices will use to communicate with the Web RA