Simple Certificate Enrolment Protocol (SCEP)
Simple Certificate Enrolment Protocol (SCEP) is a protocol for certificate enrolment, certificate renewal, certificate and CRL queries for the infrastructure devices (e.g. routers, switches, firewalls, VPN devices etc.) in a closed PKI environment. SCEP is a protocol originally developed by Cisco and is documented in an Internet Engineering Task Force (IETF) Draft. A very good article is available at Cisco website and it explains the SCEP working in the deeper level. We recommend you to study the following articles if you are not very well familiar with the SCEP protocol:
ADSS Web RA provides the feature to use SCEP so that infrastructure devices can be enrolled and managed through a single Registration Authority of the Web RA.
Enrolment and usage of SCEP generally follows this work flow:
- Obtain a copy of the Certificate Authority (CA) certificate and validate it.
- Generate a CSR in the device and send it securely to the CA.
- Poll the SCEP server in order to check whether the certificate was signed.
- Re-enrol as necessary in order to obtain a new certificate prior to the expiration of the current certificate.
- Retrieve the CRL as necessary.
The device enrolment in ADSS Web RA requires the following configurations:
- Enrolment Protocol (s) configuration is done to enable the SCEP service in the ADSS Web RA Server.
- The configuration requires SCEP Server PFX and its password, SCEP Server Certificate, SCEP Server ADSS Web RA URL and Challenge type.
- ADSS Web RA SCEP Server starts working after the configurations by processing the requests coming from the infrastructure devices.
Simple Certification Enrolment Protocol
Expand Configurations > Enrolment Protocol(s) > SCEP Protocol.
|
Field |
Description |
|
Enable Simple Certification Enrolment Protocol (SCEP) |
Select this checkbox to enable the SCEP functionality |
|
SCEP Server Encryption Auth Key (PFX) |
When the GetCACert request is issued by the devices, the certificate is returned to the device. This certificate will be used to encrypt the communication between the device and the RA application. Note that once the SCEP option is enabled, it will be available for every user in each enterprise and they can use SCEP to get the device certificates from the ADSS Web RA Web portal. |
|
SCEP Server Encryption Auth Key (PFX) Password |
Password to decrypt the key so that application can use this key. |
|
SCEP URL |
This is the SCEP URL that the devices will use to communicate with ADSS Web RA Server. |
Following is a screenshot of the Enrolment Protocol (s) section > SCEP in the Configurations menu:
Microsoft Intune SCEP
Microsoft Intune SCEP (Simple Certificate Enrolment Protocol) is a feature that allows devices and users to request and obtain digital certificates from a Certificate Authority (CA) for secure authentication.
|
Field |
Description |
|
Enable Microsoft Intune SCEP |
Select this checkbox to enable the Intune SCEP functionality |
|
SCEP Server Encryption Auth Key (PFX) |
When the GetCACert request is issued by the devices, the certificate is returned to the device. This certificate will be used to encrypt the communication between the device and the RA application. |
|
SCEP Server Encryption Auth Key (PFX) Password |
Password to decrypt the key so that application can use this key. |
|
HTTPS SCEP URL |
This is the SCEP URL that the devices will use to communicate with ADSS Web RA. |
Following is a screenshot of the Enrolment Protocol (s) section > Microsoft Intune SCEP in the Configurations menu:
