Simple Certificate Enrollment Protocol (SCEP) is described by the informational . Older versions of this

protocol Protocol may refer to: Sociology and politics * Protocol (politics) Protocol originally (in Late Middle English, c. 15th century) meant the minutes or logbook taken at a meeting, upon which an agreement was based. The term now commonly refers to ...

became a de facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment. The protocol has been designed to make the request and issuing of

digital certificates In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a Key authentication, public key. The certificate includes the public key and informati ...

as simple as possible for any standard network user. These processes have usually required intensive input from

network administrator A network administrator is a person designated in an organization whose responsibility includes maintaining computer infrastructures with emphasis on local area networks (LANs) up to wide area networks (WANs). Responsibilities may vary between or ...

s, and so have not been suited to large-scale deployments.

Popularity

The Simple Certificate Enrollment Protocol still is the most popular and widely available certificate enrollment protocol, being used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users. It is used, for example, by the Cisco Internetworking Operating System (IOS), though Cisco promotes the Enrollment over Secure Transport (EST), with additional features, and

iPhone The iPhone is a line of smartphones developed and marketed by Apple that run iOS, the company's own mobile operating system. The first-generation iPhone was announced by then–Apple CEO and co-founder Steve Jobs on January 9, 2007, at ...

s (

iOS Ios, Io or Nio (, ; ; locally Nios, Νιός) is a Greek island in the Cyclades group in the Aegean Sea. Ios is a hilly island with cliffs down to the sea on most sides. It is situated halfway between Naxos and Santorini. It is about long an ...

) to enroll in enterprise

public key infrastructure A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to fac ...

(PKI). Most PKI software (specifically RA implementations) supports it, including the Network Device Enrollment Service (NDES) of

Active Directory Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Direct ...

Certificate Service and Intune.

Criticism

* Legacy versions of SCEP, which still are employed in the vast majority of implementations, are limited to enrolling certificates for RSA keys only. * Due to the use of the self-signed PKCS#10 format for

Certificate Signing Request In public key infrastructure (PKI) systems, a certificate signing request (CSR or certification request) is a message sent from an applicant to a certificate authority of the public key infrastructure (PKI) in order to apply for a digital identity ...

s (CSR), certificates can be enrolled only for keys that support (some form of) signing. A limitation shared by other enrollment protocols based on PKCS#10 CSRs, e.g., EST and

ACME Acme is Ancient Greek (ἀκμή; English transliteration: ''akmē'') for "the peak", "zenith" or "prime". It may refer to: Arts, entertainment and games * ''Acme'' (album), an album by the Jon Spencer Blues Explosion * Acme and Septimius, a fic ...

, or even the web-based enrollment workflow of most PKI software where the requester starts by generating a key pair and a CSR in PKCS#10 format. For example

, which also uses PKCS#10, issues TLS certificates which by definition must be capable of signing for the TLS handshake. However this distinction is so far mostly theoretical since in practice all algorithms commonly used with certificates support signing. This may change with post-quantum cryptography where some keys only support KEM. The CRMF format, as used by

Certificate Management Protocol The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI). CMP is a very feature-rich and flexible protocol, supporting many type ...

(CMP) and CMS, is more flexible here, supporting also keys that are usable for encryption only. * Although proof-of-origin of certificate enrollment requests, i.e., authentication of the certificate requester, is the most critical security requirement, for pragmatic reasons its support is not strictly required within SCEP. Signature-based client authentication using an already existing certificate would be the preferred mechanism but in many use cases is not possible or not supported by the given deployments. As an alternative, SCEP just provides the use of a shared secret, which should be client-specific and used only once. * The confidentiality of the shared secret optionally used for source authentication is fragile because it must be included in the 'challengePassword' field of the CSR, which is then protected by an outer encryption. It would have been more secure to use a password-based MAC algorithm such as HMAC. * Encrypting the whole PKCS#10 structure in order to protect the 'challengePassword' field (which is used for self-contained source authentication) has a further drawback: the whole CSR becomes unreadable for all parties except the intended ultimate receiver (the CA), although most of its content is not confidential. So the PKCS#10 structure cannot be checked by intermediate agents such as an RA.

History

SCEP was designed by Verisign for Cisco as a lean alternative to

Certificate Management over CMS The Certificate Management over CMS (CMC) is an Internet Standard published by the IETF, defining transport mechanisms for the Cryptographic Message Syntax (CMS). It is defined in , its transport mechanisms in . Similarly to the Certificate Ma ...

(CMC) and the very powerful but also rather bulky

(CMP). It had support from Microsoft early with its continuous inclusion in Windows starting with

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft, targeting the server and business markets. It is the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RT ...

. In around 2010,

Cisco Cisco Systems, Inc. (using the trademark Cisco) is an American multinational digital communications technology conglomerate corporation headquartered in San Jose, California. Cisco develops, manufactures, and sells networking hardware, s ...

suspended work on SCEP and developed EST instead. In 2015, Peter Gutmann revived the

Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...

due to SCEP widespread use in industry and in other standards. He updated the draft with more modern algorithms and corrected numerous issues in the original specification. In September 2020, the draft was published as informational {{IETF RFC, 8894, more than twenty years after the beginning of the standardization effort.IETF Datatracker : Simple Certificate Enrollment Protocol
/ref> The new version also supports enrollment of non-RSA certificates (e.g., for ECC public keys).

External links

* Slide deck describing SCEP
pkix-3.pdf

References

Public key infrastructure Internet protocols Internet Standards

Popularity

Criticism

History

See also

External links

References