Details

What is SCEP?

Usually when it is necessary to deploy certificates to (mobile) devices, Simple Certificate Enrollment Protocol (SCEP) is the first choice. But what is SCEP? SCEP is an Internet draft standard protocol. An Internet draft contains technical specifications and technical information. Internet drafts are often published as a Request for Comments.

SCEP is originally developed by Cisco. The core mission of SCEP is the deployment of certificates to network devices without any user interactions. With the help of SCEP, network devices can request certificates on their own.

What is SCEPman?

If you use SCEP in a 'traditional way' you need a number of on-premises components. Microsoft Intune and other Mobile Device Management (MDM) solutions allow third-party certificate authorities (CA) to issue and validate certificates using SCEP.

To get rid of the on-premises components we developed SCEPman.

SCEPman issues certificates that are intended for authentication and transport encryption. That said, you can deploy user and device certificates used for network authentication, WiFi, VPN, RADIUS and similar services.

You may use SCEPman for transactional digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration. Please keep in mind that SCEPman certificates are trusted in your organization only. SCEPman does not issue publicly trusted certificates.

Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages at a later time.

SCEPman Workflow

Here's an overview about the SCEPman workflow when using Intune as MDM solution (the flows are similar for other MDM solutions). The first figure shows the certificate issuance and the second figure shows the certificate validation.

Process of certificate issuance:

Process of certificate validation during certificate-based authentication:

SCEPman Features

SCEPman is an Azure Web App with the following features:

  • A SCEP interface that is compatible with the Intune SCEP API in particular.

  • SCEPman provides certificates signed by a CA root key stored in Azure Key Vault.

  • SCEPman contains an OCSP responder (see below) to provide certificate validity / auto-revocation in real-time

  • A full replacement of Legacy PKI in many scenarios.

SCEPman creates the CA root certificate during the initial installation. However, if for whatever reason an alternative CA key material shall be used it is possible to replace this CA key and certificate with your own in Azure Key Vault. For example, if you want to use a Sub CA certificate signed by an existing internal Root CA.

Certificate Master

Certificate Master allows Enterprise Edition customers to (manually) issue certificates in scenarios where an automatic enrollment via SCEP / MDM is not possible. Common examples are the issuance of TLS server certificates or user certificates for smart cards / YubiKeys. Furthermore, with Certificate Master, administrators can manage any certificate issued by SCEPman, whether they were automatically enrolled through SCEP via Intune, Jamf, 3rd party MDMs, EST, the Enrollment REST API or manually via Certificate Master UI itself.

pageCertificate Master

SCEPman OCSP (Online Certificate Status Protocol)

The Online Certificate Status Protocol (OCSP) is an Internet protocol which is in use to determine the state of a certificate.

Usually, an OCSP client sends a status request to an OCSP responder. An OCSP responder verifies the validity of a certificate based on revocation state or other mechanisms. In comparison to a certificate revocation list (CRL), that SCEPman supports as well, an OCSP response is always up-to-date and the response is available within seconds. A CRL has the disadvantage that it is based on a database that must refresh manually and may weigh a lot of data. Read a detailed comparison of these revocations mechanisms in an article in our company blog.

Last updated