This article describes the support for the Simple Certificate Enrollment Protocol (SCEP) in Smart ID Certificate Manager via Protocol Gateway. Simple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users.
The Certificate Manager SCEP service is used to enroll end-entity certificates on request from hardware components, such as routers and firewalls. The SCEP service is compliant with the Internet Draft draft-nourse-scep-23. For more information, see Internet draft - Simple Certificate Enrollment Protocol.
Protocol Gateway provides security by supporting the SCEP security features, the device registration procedure and a unique feature to verify signed SCEP requests, useful when using device management solutions. For more details on the SCEP implementation, see Notes on SCEP implementation in Certificate Manager.
For more information, see Example: SCEP configuration in Protocol Gateway.
SCEP Intune support
Certificate Manager can be used as a third-party CA with Microsoft Intune to issue and validate certificates using Simple Certificate Enrollment Protocol (SCEP). Certificate Manager supports SCEP Intune with Microsoft Azure for all SCEP Intune certified devices. For more information, see Example: SCEP Intune configuration in Protocol Gateway.
For each configured Intune handler, a revocation polling thread is started that periodically attempts to retrieve revocation data from Intune, if available. Click here for a list describing what type of actions that causes SCEP-issued certificates to be revoked: https://docs.microsoft.com/en-us/mem/intune/protect/remove-certificates.
SCEP NDES support
Certificate Manager supports SCEP with static and dynamic challenge passwords. SCEP with dynamic challenge passwords is complying to Microsoft's Network Device Enrollment Service (NDES) implementation.
Request certificate via SCEP and Protocol Gateway
The enrollment process is made up of the following major steps:
The hardware must be registered in the Certificate Manager database. A registration contains the fully qualified domain name (FQDN), and optionally a challenge password, an IP address and serial number of the hardware.
A certificate request is sent from the router or firewall via the SCEP service to the CF service. The request must contain the FQDN, the challenge password and, optionally, the IP address and serial number. A control is made against the database and the submitted challenge password is verified against the one stored in the database. If the request meets all requirements, a certificate will be created and returned to the requesting hardware.
- Example: SCEP configuration in Protocol Gateway
- Internet draft - Simple Certificate Enrollment Protocol