Simple Certificate Enrolment Protocol (SCEP) is a protocol for certificate enrolment, certificate renewal, certificate and CRL queries for the infrastructure devices (e.g. routers, switches, firewalls, VPN devices etc.) in a closed PKI environment. SCEP is a protocol originally developed by Cisco and is documented in an Internet Engineering Task Force (IETF) Draft. A very good article is available at Cisco website and it explains the SCEP working in the deeper level. We recommend you to study the following articles if you are not very well familiar with the SCEP protocol:




ADSS Web RA provides the feature to use SCEP so that infrastructure devices can be enrolled and managed through a single Registration Authority of the Web RA.


How it works?


Enrolment and usage of SCEP generally follows this work flow:

  1. Obtain a copy of the Certificate Authority (CA) certificate and validate it.
  2. Generate a CSR in the device and send it securely to the CA.
  3. Poll the SCEP server in order to check whether the certificate was signed.
  4. Re-enrol as necessary in order to obtain a new certificate prior to the expiration of the current certificate.
  5. Retrieve the CRL as necessary.


The device enrolment in ADSS Web RA requires the following configurations:

  1. Device Enrolment configuration is done to enable the SCEP service in the Web RA
  2. The configuration required SCEP Server PFX and its password, SCEP Server Certificate, SCEP Server ADSS Web RA URL and Challenge type
  3. ADSS Web RA SCEP Server starts working after the configurations by processing the requests coming from the infrastructure devices


Simple Certification Enrolment Protocol


Field

Description

Enable Simple Certification Enrolment Protocol (SCEP)

Tick this checkbox to enable the SCEP functionality

SCEP Server Encryption Auth Key (PFX)

When the GetCACert request is issued by the devices, the certificate is returned to the device. This certificate will be used to encrypt the communication between the device and the RA application.

Note that once the SCEP option is enabled, it will be available for every user in each enterprise and they can use SCEP to get the device certificates from the ADSS Web RA Web portal

SCEP Server Encryption Auth Key (PFX) Password

Password to decrypt the key so that application can use this key

Challenge Type

The SCEP provides an additional layer of security using the challenge value. The device puts this challenge in the device CSR and the ADSS Web RA verifies this challenge as part of request validation. There are three challenge password options available as following:

  • None - No challenge password is required in the CSR request from the device
  • Fixed - When this option is used, the administrator sets the fixed challenge password. This challenge password will be used for each device in each enterprise. In short, this is the application level challenge password for each registered device
  • Random - The SCEP Server generates a unique challenge password for each device when a device is registered in the ADSS Web RA Web and the device must have to pass this password in the request to get the certificate

SCEP URL

This is the SCEP URL that the devices will use to communicate with the Web RA

 

Following is a screenshot of the Device Enrolment section in the configurations menu: