SCEP Protocol

The Simple Certificate Enrollment Protocol (SCEP) is defined in RFC 8894 (https://datatracker.ietf.org/doc/html/rfc8894) and is designed to simplify the secure issuance and management of X.509 certificates in large-scale networked environments. SCEP provides a standard mechanism for network devices and applications—such as routers, switches, VPN gateways, printers, and mobile devices—to securely request and obtain digital certificates from a Public Key Infrastructure (PKI).

SCEP uses a PKCS#10 certificate request encapsulated in a PKCS#7 message, enabling secure communication between the client (RA/EE) and the Registration Authority (RA) or Certificate Authority (CA). It supports automated certificate issuance and renewal, facilitating scalable certificate lifecycle management.

Prerequisite

Registeration

  • Register your SCEP device in emCA before using protocol.

  • The first step of the registration is to share the Device Manufacturer, type, and Model, Device id and Description of the to the emCA team.

Steps to be followed by emCA Team.

Once emCA team receives the Details of SCEP Device, emCA Administrator should login to the emCA portal as Admin/CA Admin and navigate to “Application Settings‟ -> “External Applications‟ as shown in the figure.

Click on “New‟ The following screen will be displayed.

Please select Registration type as SCEP and Please required details for registration.

Once the details are entered, click on “Proceed‟.

The “Verify and Confirm‟ page will be displayed where the Admin/CA Admin should verify and entered details and authenticate by entering the Username and Password

Click on “Sign and Save‟.

The external application will be successfully registered and a challenge password will be generated.

Click on “copy icon‟ button to save the challenge password.

Create Certificate Template

Create the appropriate certificate template in emCA by following the steps outlined in Section 6.3 – Manage Profiles of the emCA User Manual. Be sure to record important details such as the Certificate Profile ID and Group ID as these will be required during the certificate enrollment process.

Configure Properties

SCEP configuration must be defined in the database. The required values must be updated in the api_properties table to enable SCEP CA server functionality.

scep.ca.server.profile.id

SCEP-Cert-Profile Id

Active

scep.ca.server.group.id

Group Id

Active

scep.next.ca.serial.no

Next CA Cert Serial No

Active

Please find the following script to update the necessary values in the database:

-- Certificate template profile ID
UPDATE api_properties 
SET prop_value = 'xxxx', prop_status = 1 
WHERE prop_key = 'scep.ca.server.profile.id';

-- SCEP CA server group information
UPDATE api_properties 
SET prop_value = '1', prop_status = 1 
WHERE prop_key = 'scep.ca.server.group.id';

-- Next SCEP CA serial number (used when issuing a new CA before the current one expires)
UPDATE api_properties 
SET prop_value = 'xxxx', prop_status = 1
WHERE prop_key = 'scep.next.ca.serial.no';

Restart Tomcat Services

To apply the configuration changes, it is necessary to restart the Tomcat services. Please follow the steps below to restart Tomcat:

Stop the Tomcat services

Run the following command to stop the Tomcat service:

$CATALINA_HOME/bin/shutdown.sh

Start the Tomcat Service

Once the service is stopped, start it again using the following command:

$CATALINA_HOME/bin/startup.sh

SCEP EndPoint

URL: https://www.example.com/emCAServices/scep/pkiclient.exe

Supported Operations

  • GET /scep?operation=GetCACert

  • GET /scep?operation=GetCACaps

  • POST /scep?operation=PKIOperation

Authentication

The emCA SCEP server implements authentication mechanisms in accordance with RFC 8894 – Simple Certificate Enrolment Protocol (SCEP), which defines enhanced security requirements for SCEP.

Supported Authentication Methods:

  • Clients may include a challenge password (using the PKCS#9 challengePassword attribute) in the certificate signing request (CSR).

  • This password serves as a shared secret between the client and server to authenticate initial enrollment.

  • The emCA server validates the challenge password against a pre-configured value associated with the certificate template or device identity.

  • If the challenge password is not included, the request must be signed with a valid existing certificate (e.g., during certificate renewal).

  • The signature is verified by the SCEP server to confirm that the request originates from an entity in possession of a previously issued and trusted private key.

  • This signature-based method provides proof-of-possession and identity continuity for re-enrollment scenarios.

HTTP Response Status Codes

200

OK

Used when a SCEP request is successfully processed and a response (e.g., PKCS#7 or CertRep) is returned.

400

Bad Request

Returned when a request has invalid parameters or unsupported operations.

401

Unauthorized

Returned when the client fails to provide correct authentication.

500

Internal Server Error

Unexpected error on the SCEP server

PreviousEST ProtocolNextCMP Protocol

Last updated