Simple Certificate Enrollment Protocol(SCEP)

Simple Certificate Enrollment Protocol(SCEP) is a protocol standard used for certificate management. SCEP is predominantly used for Certificate-based authentication, whereby access to services such as Wi-Fi, VPN and securing e-mail through encryption is carried out using certificates.


The major advantages of certificate-based authentication are:

However, to manually distribute certificates is a cumbersome task for IT administrators in large-scale organizations. SCEP helps network administrators to easily install certificates in devices. SCEP provides a simplified and scalable method for handling certificates in large organizations. The difference between Certificate and SCEP is that SCEP policy is used for distributing client certificates to devices while Certificate policy distributes the CA certificates to devices.

Pre-requisites

Configuring SCEP in MDM MSP

1. The value for Subject should be in LDAP DN format as explained here.
2. You can verify Server details such as enrollment challenge password from http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll

Profile Specification

Description

SCEP Configuration Name

The user-defined configuration name, which is used to refer this configuration in other configurations such as Wi-Fi, VPN etc.,

SCEP SETTINGS

Server URL

The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the SCEP server is within the organization network and not exposed to external networks. The certificate is requested through this URL.
For NDES, the server URL format: http://<your-server>/CertSrv/mscep/mscep.dll

Subject

Specify the details(%username%, %email%, %domainname%,%devicename%) to map the corresponding details in the device.

Thumbprint(Hash Value)

The thumbprint value is used for verifying the CA identity, if the Server URL is specified as HTTPS. Used for securing the communication between the devices and the CA. The value for thumbprint is usually available in https:///CertSrv/mscep_admin.

Key Usage

Specify whether key is to be used for Digital Signature, Key Encipherment or both.

Subject Alternative Name Type

Specify the alternate details(RFC 822 Name, DNS Name, URI and UPN).

  • RFC 822 Name: Formal definition of an e-mail address. Example: user_name@domain.com
  • Domain Naming System(DNS) Name: Refers to the common nomenclature used for systems, services and/or other resources. Example: server-name.domain.com
  • Uniform Resource Identifier(URI): Refers to the naming system used for identifying a resource. Contains both URLs and URNs. Example: ftp://domain.com/user.txt
  • User Principal Name(UPN): Refers to the system user name in the Active Directory, whose format is similar to that of e-mail. Example: user_name@domain.com

Subject Alternative Name Value (Can be configured only if Subject Alternative Name is configured)

Specify the value for the alternative name type.

Maximum Number of Failed Attempts

Number of attempts to obtain the certificate from the CA.

Time interval between attempts

Time to wait before subsequent attempts to obtain certificate

Challenge Type

A pre-shared secret key provided by the CA, which adds additional layer of security

Enrollment Challenge Password (Can be specified, only if Challenge Type is configured as Static)

Provide the challenge password to be used. Challenge Password can be identified as explained here.

Key Size

Specify whether the key is 1024 or 2048 bits.



See Also:  Associating Profiles to Groups, Associating Profiles to Devices,  App Management, Distribute Apps to Devices, Distribute Apps to Groups
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine