Skip to main content
Skip table of contents

SCEP support in Certificate Manager

This article is valid for Certificate Manager 8.5 and later.

This article describes the support for the Simple Certificate Enrollment Protocol (SCEP) in Smart ID Certificate Manager via Protocol GatewaySimple Certificate Enrollment Protocol is a protocol for handling certificates for large-scale implementation to everyday users. 

The Certificate Manager SCEP service is used to enroll end-entity certificates on request from hardware components, such as routers and firewalls. The SCEP service is compliant with the Internet Draft draft-nourse-scep-23. For more information, see Internet draft - Simple Certificate Enrollment Protocol

Protocol Gateway provides security by supporting the SCEP security features, the device registration procedure and a unique feature to verify signed SCEP requests, useful when using device management solutions. For more details on the SCEP implementation, see Notes on SCEP implementation in Certificate Manager.

Example configuration

For more information, see Example: SCEP configuration in Protocol Gateway

SCEP Intune support

Certificate Manager can be used as a third-party CA with Microsoft Intune to issue and validate certificates using Simple Certificate Enrollment Protocol (SCEP). Certificate Manager supports SCEP Intune with Microsoft Azure for all SCEP Intune certified devices. For more information, see Example: SCEP Intune configuration in Protocol Gateway

For each configured Intune handler, a revocation polling thread is started that periodically attempts to retrieve revocation data from Intune, if available. Click here for a list describing what type of actions that causes SCEP-issued certificates to be revoked:

SCEP NDES support

Certificate Manager supports SCEP with static and dynamic challenge passwords. SCEP with dynamic challenge passwords is complying to Microsoft's Network Device Enrollment Service (NDES) implementation.

SCEP support in Protocol Gateway

Request certificate via SCEP and Protocol Gateway

The enrollment process is made up of the following major steps:

  1. Hardware registration in CM
    The hardware must be registered in the Certificate Manager database. A registration contains the fully qualified domain name (FQDN), and optionally a challenge password, an IP address and serial number of the hardware.
  2. Certificate enrollment
    A certificate request is sent from the router or firewall via the SCEP service to the CF service. The request must contain the FQDN, the challenge password and, optionally, the IP address and serial number. A control is made against the database and the submitted challenge password is verified against the one stored in the database. If the request meets all requirements, a certificate will be created and returned to the requesting hardware.

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.