Details

What is SCEP?

Usually when it is necessary to deploy certificates to (mobile) devices, Simple Certificate Enrollment Protocol (SCEP) is the first choice. But what is SCEP? SCEP is an Internet draft standard protocol. An Internet draft contains technical specifications and technical information. Internet drafts are often published as a Request for Comments.

SCEP is originally developed by Cisco. The core mission of SCEP is the deployment of certificates to network devices without any user interactions. With the help of SCEP, network devices can request certificates on their own.

What is SCEPman?

If you use SCEP in a 'traditional way' you need a number of on-premises components. Microsoft Intune and other Mobile Device Management (MDM) solutions allow third-party certificate authorities (CA) to issue and validate certificates using SCEP.

To get rid of the on-premises components we developed SCEPman.

SCEPman Workflow

Here's an overview about the SCEPman workflow when using Intune as MDM solution (the flows are similar for other MDM solutions). The first figure shows the certificate issuance and the second figure shows the certificate validation.

Process of certificate issuance:

Process of certificate validation during certificate-based authentication:

SCEPman Features

SCEPman is an Azure Web App with the following features:

• A SCEP interface that is compatible with the Intune SCEP API in particular.

• SCEPman provides certificates signed by a CA root key stored in Azure Key Vault.

• SCEPman contains an OCSP responder (see below) to provide certificate validity / auto-revocation in real-time

• A full replacement of Legacy PKI in many scenarios.

SCEPman creates the CA root certificate during the initial installation. However, if for whatever reason an alternative CA key material shall be used it is possible to replace this CA key and certificate with your own in Azure Key Vault. For example, if you want to use a Sub CA certificate signed by an existing internal Root CA.

Certificate Master

Certificate Master allows Enterprise Edition customers to (manually) issue certificates in scenarios where an automatic enrollment via SCEP / MDM is not possible. Common examples are the issuance of TLS server certificates or user certificates for smart cards / YubiKeys. Furthermore, with Certificate Master, administrators can manage any certificate issued by SCEPman, whether they were automatically enrolled through SCEP via Intune, Jamf and other MDMs, EST, the Enrollment REST API or manually via Certificate Master UI itself.

SCEPman OCSP (Online Certificate Status Protocol)

The Online Certificate Status Protocol (OCSP) is an Internet protocol which is in use to determine the state of a certificate.

Usually, an OCSP client sends a status request to an OCSP responder. An OCSP responder verifies the validity of a certificate based on revocation state or other mechanisms. In comparison to a certificate revocation list (CRL), that SCEPman supports as well, an OCSP response is always up-to-date and the response is available within seconds. A CRL has the disadvantage that it is based on a database that must refresh manually and may weigh a lot of data. Read a detailed comparison of these revocations mechanisms in an article in our company blog.