Simple Certificate Enrollment Protocol (SCEP) is described by the informational . Older versions of this
protocol
Protocol may refer to:
Sociology and politics
* Protocol (politics), a formal agreement between nation states
* Protocol (diplomacy), the etiquette of diplomacy and affairs of state
* Etiquette, a code of personal behavior
Science and technology
...
became a de facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment.
The protocol has been designed to make the request and issuing of
digital certificates
Digital usually refers to something using discrete digits, often binary digits.
Technology and computing Hardware
*Digital electronics, electronic circuits which operate using digital signals
**Digital camera, which captures and stores digital i ...
as simple as possible for any standard network user. These processes have usually required intensive input from
network administrator
A network administrator is a person designated in an organization whose responsibility includes maintaining computer infrastructures with emphasis on local area networks (LANs) up to wide area networks (WANs). Responsibilities may vary between org ...
s, and so have not been suited to large-scale deployments.
Popularity
The Simple Certificate Enrollment Protocol still is the most popular and widely available certificate enrollment protocol, being used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users. It is used for example by the
Cisco IOS
The Internetworking Operating System (IOS) is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems. The system is a package of routing, switching, internetworking, an ...
operating system (even if Cisco is now pushing the slightly more featured
EST) and
iPhones to enroll in enterprises
PKI. Most PKI software (specifically RA implementations) supports it, including the Network Device Enrollment Service (NDES) of
Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centr ...
Certificate Service and
Intune.
Criticism
* Legacy versions of SCEP, which still are employed in the vast majority of implementations, are limited to enrolling certificates for RSA keys only.
* Due to the use of the self-signed PKCS#10 format for Certificate Signing Requests (CSR), certificates can be enrolled only for keys that support signing. A limitation shared by other enrollment protocols based on PKCS#10 CSRs, e.g.,
EST and
ACME
Acme is Ancient Greek (ακμή; English transliteration: ''akmē'') for "the peak", "zenith" or "prime". It may refer to:
Arts and entertainment
* ''Acme'' (album), an album by the Jon Spencer Blues Explosion
* Acme and Septimius, a fictional ...
, or even the web-based enrollment workflow of most PKI software where the requester starts by generating a key pair and a CSR in PKCS#10 format. The CRMF format, as used by CMP and CMS, is more flexible here, supporting also keys that are usable for encryption or key agreement only. However this distinction is mostly theoretical since in practice all algorithms commonly used with certificates support signing. For example
ACME
Acme is Ancient Greek (ακμή; English transliteration: ''akmē'') for "the peak", "zenith" or "prime". It may refer to:
Arts and entertainment
* ''Acme'' (album), an album by the Jon Spencer Blues Explosion
* Acme and Septimius, a fictional ...
, which also uses PKCS#10, issues TLS certificates which by definition must be capable of signing for the TLS handshake.
* Although proof-of-origin of certificate enrollment requests, i.e., authentication of the certificate requestor, is the most critical security requirement, for pragmatic reasons its support is not strictly required within SCEP. Signature-based client authentication using an already existing certificate would be the preferred mechanism but in many use cases is not possible or not supported by the given deployments. As an alternative, SCEP just provides the use of a shared secret, which should be client-specific and used only once.
* The confidentiality of the shared secret optionally used for source authentication is fragile because it must be included in the 'challengePassword' field of the CSR, which is then protected by an outer encryption. It would have been more secure to use a password-based MAC algorithm such as HMAC.
* Encrypting the whole PKCS#10 structure in order to protect the 'challengePassword' field (which is used for self-contained source authentication) has a further drawback: the whole CSR becomes unreadable for all parties except the intended ultimate receiver (the CA), although most of its contents is not confidential. So the PKCS#10 structure cannot be checked by intermediate agents such as an RA.
History
SCEP was designed by Verisign for Cisco as a lean alternative to
Certificate Management over CMS (CMC) and the very powerful but also rather bulky
Certificate Management Protocol
The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI).
CMP is a very feature-rich and flexible protocol, supporting any types ...
(CMP). In around 2010,
Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational corporation, multinational digital communications technology conglomerate (company), conglomerate corporation headquartered in San Jose, California. Cisco develo ...
suspended work on SCEP and developed
EST instead. In 2015,
Peter Gutmann revived the
Internet Draft
An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
due to SCEP widespread use in industry and in other standards. He updated the draft with more modern algorithms corrected numerous issues in the original specification. In September 2020, the draft was published as informational {{IETF RFC, 8894, more than twenty years after the beginning of the standardization effort.
IETF Datatracker : Simple Certificate Enrollment Protocol
/ref> The new version also supports enrollment of non-RSA certificates (e.g., for ECC public keys).
See also
* Certificate Management Protocol
The Certificate Management Protocol (CMP) is an Internet protocol standardized by the IETF used for obtaining X.509 digital certificates in a public key infrastructure (PKI).
CMP is a very feature-rich and flexible protocol, supporting any types ...
(CMP)
* Certificate Management over CMS (CMC)
* Enrollment over Secure Transport
The Enrollment over Secure Transport, or EST is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certific ...
(EST)
* Automated Certificate Management Environment
The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' servers, allowing the automated deployment of public key infrastructure at ...
(ACME)
External links
* Slide deck describing SCEP
pkix-3.pdf
References
Public key infrastructure
Cryptographic protocols
Internet Standards