SCEP Protocol
The Simple Certificate Enrollment Protocol (SCEP) is defined in RFC 8894 (https://datatracker.ietf.org/doc/html/rfc8894) and is designed to simplify the secure issuance and management of X.509 certificates in large-scale networked environments. SCEP provides a standard mechanism for network devices and applications—such as routers, switches, VPN gateways, printers, and mobile devices—to securely request and obtain digital certificates from a Public Key Infrastructure (PKI).
SCEP uses a PKCS#10 certificate request encapsulated in a PKCS#7 message, enabling secure communication between the client (RA/EE) and the Registration Authority (RA) or Certificate Authority (CA). It supports automated certificate issuance and renewal, facilitating scalable certificate lifecycle management.
Prerequisite
Registeration
Register your SCEP device in emCA before using protocol.
The first step of the registration is to share the Device Manufacturer, type, and Model, Device id and Description of the to the emCA team.
Steps to be followed by emCA Team.
Once emCA team receives the Details of SCEP Device, emCA Administrator should login to the emCA portal as Admin/CA Admin and navigate to “Application Settings‟ -> “External Applications‟ as shown in the figure.

Click on “New‟ The following screen will be displayed.

Please select Registration type as SCEP and Please required details for registration.

Once the details are entered, click on “Proceed‟.
The “Verify and Confirm‟ page will be displayed where the Admin/CA Admin should verify and entered details and authenticate by entering the Username and Password

Click on “Sign and Save‟.
The external application will be successfully registered and a challenge password will be generated.

Click on “copy icon‟ button to save the challenge password.
Create Certificate Template
Create the appropriate certificate template in emCA by following the steps outlined in Section 6.3 – Manage Profiles of the emCA User Manual. Be sure to record important details such as the Certificate Profile ID and Group ID as these will be required during the certificate enrollment process.
Configure Properties
SCEP configuration must be defined in the database. The required values must be updated in the api_properties
table to enable SCEP CA server functionality.
scep.ca.server.profile.id
SCEP-Cert-Profile Id
Active
scep.ca.server.group.id
Group Id
Active
scep.next.ca.serial.no
Next CA Cert Serial No
Active
Please find the following script to update the necessary values in the database:
-- Certificate template profile ID
UPDATE api_properties
SET prop_value = 'xxxx', prop_status = 1
WHERE prop_key = 'scep.ca.server.profile.id';
-- SCEP CA server group information
UPDATE api_properties
SET prop_value = '1', prop_status = 1
WHERE prop_key = 'scep.ca.server.group.id';
-- Next SCEP CA serial number (used when issuing a new CA before the current one expires)
UPDATE api_properties
SET prop_value = 'xxxx', prop_status = 1
WHERE prop_key = 'scep.next.ca.serial.no';
Restart Tomcat Services
To apply the configuration changes, it is necessary to restart the Tomcat services. Please follow the steps below to restart Tomcat:
Stop the Tomcat services
Run the following command to stop the Tomcat service:
$CATALINA_HOME/bin/shutdown.sh
Start the Tomcat Service
Once the service is stopped, start it again using the following command:
$CATALINA_HOME/bin/startup.sh
SCEP EndPoint
URL: https://www.example.com/emCAServices/scep/pkiclient.exe
Supported Operations
GET /scep?operation=GetCACert
GET /scep?operation=GetCACaps
POST /scep?operation=PKIOperation
Authentication
The emCA SCEP server implements authentication mechanisms in accordance with RFC 8894 – Simple Certificate Enrolment Protocol (SCEP), which defines enhanced security requirements for SCEP.
Supported Authentication Methods:
Clients may include a challenge password (using the PKCS#9 challengePassword attribute) in the certificate signing request (CSR).
This password serves as a shared secret between the client and server to authenticate initial enrollment.
The emCA server validates the challenge password against a pre-configured value associated with the certificate template or device identity.
If the challenge password is not included, the request must be signed with a valid existing certificate (e.g., during certificate renewal).
The signature is verified by the SCEP server to confirm that the request originates from an entity in possession of a previously issued and trusted private key.
This signature-based method provides proof-of-possession and identity continuity for re-enrollment scenarios.
HTTP Response Status Codes
200
OK
Used when a SCEP request is successfully processed and a response (e.g., PKCS#7 or CertRep) is returned.
400
Bad Request
Returned when a request has invalid parameters or unsupported operations.
401
Unauthorized
Returned when the client fails to provide correct authentication.
500
Internal Server Error
Unexpected error on the SCEP server
Last updated