Simple Certificate Enrollment Protocol

hideThis article has multiple issues. Please help or discuss these issues on the talk page. (Learn how and when to remove these template messages) The topic of this article may not meet Wikipedia's general notability guideline. Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be merged, redirected, or deleted. Find sources:  –  ·  ·  · scholar · JSTOR (June 2021) (Learn how and when to remove this template message) This article relies too much on references to primary sources. Please improve this by adding secondary or tertiary sources. (June 2021) (Learn how and when to remove this template message) This article relies largely or entirely on a single source. Relevant discussion may be found on the talk page. Please help by introducing citations to additional sources. Find sources:  –  ·  ·  · scholar · JSTOR (June 2021) (Learn how and when to remove this template message)

Simple Certificate Enrollment Protocol (SCEP) is described by the informational RFC 8894. Older versions of this protocol became a de-facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment.

The protocol has been designed to make the request and issuing of digital certificates as simple as possible for any standard network user. These processes have usually required intensive input from network administrators, and so have not been suited to large-scale deployments.

Popularity[]

The Simple Certificate Enrollment Protocol still is the most popular and widely available certificate enrollment protocol, being used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users.^{[citation needed]} It is used for example by the Cisco IOS operating system (even if Cisco is now pushing the slightly more featured EST) and iPhones to enroll in enterprises PKI. Most PKI software (specifically RA implementations) supports it, including the Network Device Enrollment Service (NDES) of Active Directory Certificate Service.

Criticism[]

• Legacy versions of SCEP, which still is employed in the vast majority of implementations, are limited to enrolling certificates for RSA keys only.
• Due to the use of the self-signed PKCS#10 format for Certificate Signing Requests (CSR), certificates can be enrolled only for keys that support signing. A limitation shared by the others CSR based enrollment protocols, e.g. EST and ACME, or even the web based enrollment workflow of most PKI software where the requester starts by generating a key-pair and a CSR.
• Although proof-of-origin of certificate enrollment requests, i.e., authentication of the certificate requestor, is the most critical security requirement, for pragmatic reasons its support is not strictly required within SCEP. Signature-based client authentication using an already existing certificate would be the preferred mechanism but in many use cases is not possible or not supported by the given deployments. As an alternative, SCEP just provides the use of a shared secret, which should be client-specific and used only once. The confidentiality of this shared secret is fragile because it must be included in the 'challengePassword' field of the CSR, which is then protected by an outer encryption.

History[]

SCEP was designed by Verisign for Cisco^[1] as a lean alternative to Certificate Management over CMS (CMC) and the very powerful but also rather bulky Certificate Management Protocol (CMP). In around 2010, Cisco suspended work on SCEP and developed EST instead. In 2015, Peter Gutmann revived the Internet Draft due to SCEP widespread use in industry and in other standards.^[2] He updated the draft with more modern algorithms corrected numerous issues in the original specification. In September 2020, the draft was published as informational RFC 8894, more than twenty years after the beginning of the standardization effort.^[3] The new version also supports enrolment of non-RSA certificates (e.g., for ECC public keys).

See also[]

• Certificate Management Protocol (CMP)
• Certificate Management over CMS (CMC)
• Enrollment over Secure Transport (EST)
• Automated Certificate Management Environment (ACME)

External links[]

• Slide deck describing SCEP: pkix-3.pdf

References[]