Simple Certificate Enrollment Protocol(SCEP)
Simple Certificate Enrollment Protocol(SCEP) is a protocol standard used for certificate management. SCEP is predominantly used for Certificate-based authentication, whereby access to services such as Wi-Fi, VPN and securing e-mail through encryption is carried out using certificates.
The major advantages of certificate-based authentication are:
- Zero-user intervention as users are authenticated via certificates.
- Secure network communication as the data is encrypted and authenticated using certificates.
However, to manually distribute certificates is a cumbersome task for IT administrators in large-scale organizations. SCEP helps network administrators to easily install certificates in devices. SCEP provides a simplified and scalable method for handling certificates in large organizations. The difference between Certificate and SCEP is that SCEP policy is used for distributing client certificates to devices while Certificate policy distributes the CA certificates to devices.
The device directly contacts the SCEP server to generate the certificate, therefore ensure the SCEP server is reachable from the device. It is not necessary for the SCEP server to be reachable to MDM.
Configuring SCEP in MDM
- You can verify Server details such as enrollment challenge password from http://<your-server>/CertSrv/mscep_admin and http://<Your-Server>/crtsrv/mscep/mscep.dll
|SCEP Configuration Name||The user-defined configuration name, which is used to refer this configuration in other configurations such as Wi-Fi, VPN etc.,|
|Server URL||The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the SCEP server is within the organization network and not exposed to external networks. The certificate is requested through this URL.
For NDES, the server URL format: http://<your-server>/CertSrv/mscep/mscep.dll
|Certificate Authority Name||Specify the name of the Certificate Authority issuing certificates.|
|Subject||Specify the details(%username%, %email%, %domainname%,%devicename%) to map the corresponding details in the device.|
|Subject Alternative Name Type||Specify the alternate details(RFC 822 Name, DNS Name, Uniform Resource Identifier).|
|Subject Alternative Name Type Value (Can be configured only if Subject Alternative Name Type is configured)||Specify the value for alternative name type.|
|NT Principal Name||Specify the NT Principal Name used in the organization.|
|Maximum Number of Failed Attempts||Number of attempts to obtain the certificate from the CA.|
|Time interval between attempts||Time to wait before subsequent attempts to obtain certificate|
|Challenge Type||A pre-shared secret key provided by the CA, which adds additional layer of security|
|Enrollment Challenge Password||Provide the challenge password to be used. Challenge Password can be identified as explained here.|
|Key Size||Specify whether the key is 1024 or 2048 bits|
|Use as Digital Signature||Enabling ensures the certificate can be used as Digital Signature|
|Use for Key Encipherment||Enabling ensures the certificate can be used as Key Encipherment|