Simple Certificate Enrollment Protocol (SCEP): Explained

Sam Metzler Education

Simple Certificate Enrollment Protocol (SCEP): Explained

Distributing certificates to managed devices can be a monumental task with a lot of moving parts that need to be accounted for: PKI integration, establishing a gateway, configuration policies, certificate enrollment, device authentication, and much more.

Luckily, SCEP provides a solution to streamline the certificate enrollment process on managed devices so an administrator can automatically enroll every managed device for a client certificates without requiring any end user interaction.

Table of Contents

Learn More About SecureW2

What is SCEP?

Simple Certificate Enrollment Protocol, or SCEP, is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI. Mobile Device Management (MDM) software commonly uses SCEP for devices by pushing a payload containing the SCEP URL and shared secret to managed devices. This can save an administrator a lot of time and effort compared to the alternative of manually enrolling their managed devices for certificates.

Components of a SCEP Gateway

Here, we will go over the core components in the SCEP gateway.

SCEP Gateway API URL

Simple Certificate Enrollment Protocol instructs devices how to communicate with the PKI, through the use of a Gateway API URL. Customers using SecureW2 can easily generate a SCEP Gateway API URL with our software. Then, they can put this URL in their MDM so it can send a payload to devices they want to enroll themselves for client certificates.

SCEP Shared Secret

A Shared Secret is a case-sensitive password entrusted between the SCEP server and Certificate Authority (CA). This shared secret verifies the CA with the right server for signing certificates. With SecureW2’s solution, the device presents the shared secret to our Managed PKI and then the certificate enrollment happens on the device.

SCEP Certificate Request

Once the SCEP gateway is set up and the Shared Secret is shared between the SCEP server and CA, you can create and distribute a configuration profile that will allow managed devices to auto-enroll for certificates. The device will send a certificate enrollment back through the SCEP gateway to the CA. Once authenticated, a signed certificate will be deployed onto the device.

SCEP Signing Certificate

Most MDMs require you to upload a SCEP signing certificate, signed by the CA issuing certificates, that includes the entire certificate chain (signing certificate, Intermediate CA, Root CA). SecureW2 makes it easy to create a signing certificate in SecureW2, just select the CA issuing certificates and a PKCS12 file will be generated for you to upload into your MDM.

SCEP Device Enrollment Process

Enrolling for SCEP involves validating a CA and sending a Certificate Signing Request (CSR) from your MDM interface. Obtaining a copy of the CA certificate is vital for SCEP to properly relay the CSR and client enrollment in general. You can check the SCEP server to verify the certificate was signed by the CA.

The key is setting up a proper CA to fulfill the needs for the SCEP Gateway, which we have outlined below.

How to Configure SCEP

SCEP is designed to automate the certificate enrollment process and make it easier for organizations with MDMs. Below is a quick overview of configuring SCEP for MDM networks running on certificates using SecureW2’s JoinNow Suite, a cloud-based solution for managed devices.

Building the SCEP Gateway

The SecureW2 Management Portal has the necessary components to deploy a SCEP Gateway with any major MDM. In less than 30 minutes, you can create the following:

Create a Custom Private Intermediate CA in the SecureW2 Management Portal.
Create a Signing CA, signed by the Intermediate CA.
Generate the SCEP Gateway API URL and Shared Secret.
Optional: Configure Custom Certificate Templates and Enrollment Policies.

Configuring SCEP in Your MDM

Now that we have all the components, it’s time to piece everything together to create the SCEP Gateway. Typically MDMs have a dedicated SCEP configuration section. Jamf is one of our favorite Technology Partners, and they have excellent SCEP support and are widely used across the industry. Below is an example image of where you can configure SCEP settings in Jamf. To learn more about how our SCEP Gateway integrates with Jamf, click here.

The following are a high level overview of the steps required to integrate a SCEP Gateway with an MDM to configure devices to auto-enroll themselves for certificates:

  1. Add the SCEP Gateway API URL
  2. Add the SCEP Shared Secret
  3. Upload the SCEP Signing Certificate
  4. Configure SCEP Payload that is sent to devices
  5. Specify which devices receive the Payload
  6. Optional: Configure Payloads for certificate application settings like Wi-Fi, VPN, Application Access…etc.

To learn more about how our SCEP Gateway integrates with MDMs, check out our Managed Device Solutions Page.

Learn More About SecureW2

How Does SCEP Work with Windows?

Microsoft WSTEP Protocol

Developed by Microsoft, the WS-Trust X.509v3 Token Enrollment Extensions Protocol (WSTEP) has the same basic premise as SCEP; creating a secure connection between MDM and devices for sending data. While SCEP works for most MDMs, it does not work for Microsoft GPO. This is where WSTEP comes into play, as it’s the standard for auto-enrolling Active Directory Managed Devices with certificates. SecureW2 offers an easy-to-configure WSTEP Gateway API that many organizations use today for their AD domain-joined devices.

Integrating SCEP and Microsoft Intune

While Microsoft GPO may not natively support SCEP, Microsoft Intune can be configured to distribute certificates with SCEP. Through the gateway, devices can receive configuration profiles so they can request to enroll themselves for certificates.

Configuring Intune to work with SCEP is quite similar to how most MDMs use our SCEP Gateway API. Click here to see our integration guide for enrolling SCEP certificates on Intune.

SCEP Certificate Device Wi-Fi Authentication

For many organizations with MDMs, making sure each device is authenticated takes a lot of time and resources. SCEP automates the certificate enrollment process, so authenticating is streamlined. EAP-TLS is the standard authentication method for devices enrolled for SCEP certificates, because it’s the industry standard for certificate-based Wi-Fi authentication.

EAP-TLS Authentication Benefits

EAP-TLS is considered one of the best methods of authentication because it eliminates the need for credentials and doesn’t require any end user interaction. The device auto-detects the secure server through the SCEP gateway and can begin enrolling for a certificate immediately.

SCEP vs EST

Enrollment over Secure Transport (EST) is considered an evolution of SCEP because EST requires TLS client-side device authentication. SCEP uses the Shared Secret protocol and CSR to start enrolling certificates. Both EST and SCEP are great methods for automated certificate enrollment on managed devices, but the difference lies in whether TLS is used for authentication.

One thing to note, is that EST has seen a lot of market penetration with IoT devices. SecureW2 works with IoT manufacturers that don’t support EST or SCEP natively so that their software and devices can easily enable them in the software stack or custom deliver protocol options. Devices can then come either pre-loaded with certificates to customers, or customers can use SecureW2’s managed PKI to generate their own and enroll all their devices (IoT, BYOD, or Managed) for certificates.

SCEP vs ACME

Automated Certificate Management Environment (ACME) is very similar to SCEP in regards to certificate management. ACME installs a certificate management tool, which generates a key pairing that can validate the CA and organization. Once validated, the management tool will be able to request certificates by generating and signing CSRs that will be sent to the CA. With the ACME protocol, organizations are able to have their managed devices automatically request certificates from the CA.

Like EST, ACME is relatively new and the amount of deployment requests we have received for ACME are nowhere near the amount of SCEP requests. The fact of the matter is that the SCEP protocol is more widely recognized and used.

SCEP vs CMP and CMC

Certificate Management Protocol (CMP) and Certificate Management over CMS (CMC) are both similar to SCEP structurally, but handle different aspects of digital certificates. SCEP and EST mainly cover the enrollment and issuance of certificates, while CMP and CMC mainly cover certificate management, including revocation, status, and request.

SecureW2’s JoinNow solutions employ the SCEP gateway to distribute certificates, and the Management Portal allows you to manage issued certificates accordingly. The whole certificate process can be managed easily from anywhere.

Simplifying SCEP With SecureW2

Secure configuration of managed devices for WPA2-Enterprise is non-negotiable, but it doesn’t have to be difficult. Our powerful Gateway APIs allow you to use SCEP to enroll certificates to an unlimited number of managed devices in the same amount of time it takes to manually configure a single device. It’s the simplest and most secure way to provision certificates to all your devices. 

Certificates will need to be distributed onto every managed device for certificate-based authentication to work, but it can be done quickly and easily with our SCEP Gateway API. Configuring a SCEP gateway may seem like a difficult task but SecureW2’s PKI Services allows for easy implementation. The SCEP Gateway API allows managed devices to silently and easily enroll for certificates on their own. Plus, our easy-to-use Management Portal allows you to manage the entire certificate lifecycle entirely, additionally giving you full visibility into the success of the certificate enrollment for fast and remote troubleshooting. 

Using SecureW2’s JoinNow Connector allows you to leverage certificates with our powerful PKI Services and customize every facet of your network’s security. Plus, we have affordable options for organizations of any size. Check out our pricing to learn more.


Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.