This article describes the support for the Simple Certificate Enrollment Protocol (SCEP) in Smart ID Certificate Manager via Protocol Gateway. Simple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users.
The Certificate Manager SCEP service is used to enroll end-entity certificates on request from hardware components, such as routers and firewalls. The SCEP service is compliant with the Internet Draft draft-nourse-scep-23. For more information, see Internet draft - Simple Certificate Enrollment Protocol.
Protocol Gateway provides security by supporting the SCEP security features, the device registration procedure and a unique feature to verify signed SCEP requests, useful when using device management solutions. For more details on the SCEP implementation, see Notes on SCEP implementation in Certificate Manager.
Certificate Manager can be used as a third-party CA with Microsoft Intune to issue and validate certificates using Simple Certificate Enrollment Protocol (SCEP). Certificate Manager supports SCEP Intune with Microsoft Azure for all SCEP Intune certified devices. For more information, see Example: SCEP Intune configuration in Protocol Gateway.
Certificate Manager supports SCEP with static and dynamic challenge passwords. SCEP with dynamic challenge passwords is complying to Microsoft's Network Device Enrollment Service (NDES) implementation.
This article is valid for Certificate Manager 8.5 and later.
The enrollment process is made up of the following major steps:
Hardware registration in CM The hardware must be registered in the Certificate Manager database. A registration contains the fully qualified domain name (FQDN), and optionally a challenge password, an IP address and serial number of the hardware.
Certificate enrollment A certificate request is sent from the router or firewall via the SCEP service to the CF service. The request must contain the FQDN, the challenge password and, optionally, the IP address and serial number. A control is made against the database and the submitted challenge password is verified against the one stored in the database. If the request meets all requirements, a certificate will be created and returned to the requesting hardware.