Simple Certificate Enrollment Protocol

Using SCEP, an administrator can automate the certificate enrollment process.

In order to distribute certificates to managed devices, many steps must be completed: integrated PKI, configuration of gateways, setting up configuration policies, enrolling certificates, authenticating devices, and other tasks.

Using SCEP, an administrator can automate the certificate enrollment process so that managed devices have client certificates automatically enrolled without the end-user needing to interact.

Composite image of rear view of classy young businessman posing

Do you know what SCEP is?

By using a URL and shared secret, SCEP enables devices to easily enroll for certificates using a PKI. Software that manages mobile devices typically uses SCEP by pushing a payload containing the SCEP URL and a shared secret to the device. As opposed to manually enrolling their managed devices for certificates, this can save an administrator a lot of time and effort.


SCEP Gateway includes the following components



With IronWiFi, you can easily generate a SCEP Gateway API URL using our software, which instructs devices how to communicate with the PKI, utilizing the SCEP protocol. This URL can then be sent in a payload to devices that want to enroll themselves for client certificates through their MDM.


SCEP servers and Certificate Authorities (CAs) share a case-sensitive password called a Shared Secret. With this password, the CA verifies which server to sign certificates with. IronWiFi's solution uses our Managed PKI to enroll certificates on the device. The shared secret is then presented to the Managed PKI.


Once you have configured the SCEP gateway and shared the Shared Secret between the SCEP server and CA, you can develop a configuration profile that will allow managed devices to automatically populate their own certs. A certificate enrollment will be sent back to the CA via the SCEP gateway. It is now possible for the device to use its certificate after it has been authenticated and signed.


MDMs usually require that you upload a SCEP signing certificate, signed by the certifier issuing the certificate, that includes a full certificate chain including the signing certificate, the Intermediate CA, and the Root CA. IronWiFi simplifies the process of creating signing certificates in IronWiFi, you simply need to select the CA issuing certificates and a PKCS12 file will automatically be generated for you to upload into your MDM.

Group of young colleagues using laptop at office

SCEP Device Enrollment Process

SCEP enrollment includes validating a CA and submitting a Certificate Signing Request (CSR) through your MDM interface. It is necessary for SCEP to obtain a copy of the CA certificate in order to properly handle the CSR and client enrollment in general. You can verify the certificate's authenticity by consulting the SCEP server.

To implement the SCEP Gateway, we need a CA that meets the needs we outlined below.

Device Authentication Using SCEP Certificates

MDMs take a lot of time and resources to make sure that each device is authenticated. By automating the certificate enrollment process, SCEP streamlines the authentication process. It is the industry standard for certificate-based Wi-Fi authentication and is used for devices enrolled in SCEP certificates.


Due to the fact that it does not require the end user to interact with the system, EAP-TLS is considered one of the best methods for authentication. Through the SCEP gateway, the device automatically detects the secure server and can enroll for a certificate right away.




Due to the fact that EST(Enrollment over Secure Transport)  requires client-side device authentication over TLS, it is considered an evolution of SCEP. To enroll certificates, SCEP uses the Shared Secret protocol and CSR. The only difference between EST and SCEP is whether TLS is used for authentication. Both methods are great for automating certificate enrollment on managed devices.

IoT devices have been very popular with EST. IronWiFi helps IoT manufacturers who don't support EST or SCEP natively implement them in their software stacks or custom delivery protocols. In this case, customers can either receive pre-loaded devices with certificates, or they can use IronWiFi's managed PKI to create their own and enroll all of their connected devices (IoT, BYOD, or managed).



The Automated Certificate Management Environment (ACME) is very similar to SCEP in terms of managing certificates. The CA and the organization are validated by means of a certificate management tool installed by ACME. Upon validation, the management tool generates and signs CSRs that are sent to the CA and will request certificates. ACME allows organizations to automate certificate requests from their managed devices to CAs.

Unlike SCEP, ACME is relatively new, and we have not received as many deployment requests for ACME as we have received for EST. There is no doubt that SCEP is more widely recognized and used.


SCEP versus CMP and CMC

SCEP and Certificate Management over CMS (CMC) follow the same structural principles, but they handle digital certificates differently. EST and SCEP primarily deal with enrolment and issuance, while CMP and CMC deal with certificate management, such as revocation, status, and requests.

As part of IronWiFi's solutions, you can manage issued certificates via the Management Portal, which utilizes the SCEP gateway to distribute certificates. You can manage the certificate process anywhere.

logo_retina2_optimal (1)-1

With IronWiFi, SCEP is simple

WPA2-Enterprise is an essential component to managing managed devices, but it does not have to be complicated. SCEP allows you to configure an unlimited number of devices with certificates in a fraction of the time it takes to manually configure each device. You can provision certificates to all your devices using this method because it is the simplest and most secure method.

IronWiFi's API makes it easy for you to configure a SCEP gateway so that certificate-based authentication will work, but you must configure a SCEP gateway in order for it to work. It is possible for managed devices to silently and easily enroll for certificates using the SCEP Gateway API. In addition to this, you can use the Management Portal to manage the entire certificate life cycle, as well as to view enrollment results for fast and remote troubleshooting.

All organizations can find affordable options with us.



Similar posts