Distributing certificates to managed devices can be a monumental task with a lot of moving parts that need to be accounted for: PKI integration, establishing a gateway, configuration policies, certificate enrollment, device authentication, and much more.
Luckily, SCEP provides a solution to streamline the certificate enrollment process on managed devices so an administrator can automatically enroll every managed device for a client certificates without requiring any end user interaction.
Table of Contents
- What is SCEP?
- Components of SCEP Gateway
- SCEP Device Enrollment Process
- How to Configure SCEP
- How Does SCEP Work with Windows?
- SCEP Certificate Device Wi-Fi Authentication
- SCEP vs EST
- SCEP vs ACME
- SCEP vs CMP and CMC
- Enrolling Devices For Certificates With SCEP Gateway and SecureW2
What is SCEP?
Simple Certificate Enrollment Protocol, or SCEP, is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI. Mobile Device Management (MDM) software commonly uses SCEP for devices by pushing a payload containing the SCEP URL and shared secret to managed devices. This can save an administrator a lot of time and effort compared to the alternative of manually enrolling their managed devices for certificates.
Components of a SCEP Gateway
Here, we will go over the core components in the SCEP gateway.
SCEP Gateway API URL
Simple Certificate Enrollment Protocol instructs devices how to communicate with the PKI, through the use of a Gateway API URL. Customers using SecureW2 can easily generate a SCEP Gateway API URL with our software. Then, they can put this URL in their MDM so it can send a payload to devices they want to enroll themselves for client certificates.
SCEP Shared Secret
A Shared Secret is a case-sensitive password entrusted between the SCEP server and Certificate Authority (CA). This shared secret verifies the CA with the right server for signing certificates. With SecureW2’s solution, the device presents the shared secret to our Managed PKI and then the certificate enrollment happens on the device.
SCEP Certificate Request
Once the SCEP gateway is set up and the Shared Secret is shared between the SCEP server and CA, you can create and distribute a configuration profile that will allow managed devices to auto-enroll for certificates. The device will send a certificate enrollment back through the SCEP gateway to the CA. Once authenticated, a signed certificate will be deployed onto the device.
SCEP Signing Certificate
Most MDMs require you to upload a SCEP signing certificate, signed by the CA issuing certificates, that includes the entire certificate chain (signing certificate, Intermediate CA, Root CA). SecureW2 makes it easy to create a signing certificate in SecureW2, just select the CA issuing certificates and a PKCS12 file will be generated for you to upload into your MDM.
SCEP Device Enrollment Process
Enrolling for SCEP involves validating a CA and sending a Certificate Signing Request (CSR) from your MDM interface. Obtaining a copy of the CA certificate is vital for SCEP to properly relay the CSR and client enrollment in general. You can check the SCEP server to verify the certificate was signed by the CA.
The key is setting up a proper CA to fulfill the needs for the SCEP Gateway, which we have outlined below.
How to Configure SCEP
SCEP is designed to automate the certificate enrollment process and make it easier for organizations with MDMs. Below is a quick overview of configuring SCEP for MDM networks running on certificates using SecureW2’s JoinNow Suite, a cloud-based solution for managed devices.
Building the SCEP Gateway
The SecureW2 Management Portal has the necessary components to deploy a SCEP Gateway with any major MDM. In less than 30 minutes, you can create the following:
Create a Custom Private Intermediate CA in the SecureW2 Management Portal.
Create a Signing CA, signed by the Intermediate CA.
Generate the SCEP Gateway API URL and Shared Secret.
Optional: Configure Custom Certificate Templates and Enrollment Policies.
Configuring SCEP in Your MDM
Now that we have all the components, it’s time to piece everything together to create the SCEP Gateway. Typically MDMs have a dedicated SCEP configuration section. Jamf is one of our favorite Technology Partners, and they have excellent SCEP support and are widely used across the industry. Below is an example image of where you can configure SCEP settings in Jamf. To learn more about how our SCEP Gateway integrates with Jamf, click here.
The following are a high level overview of the steps required to integrate a SCEP Gateway with an MDM to configure devices to auto-enroll themselves for certificates:
- Add the SCEP Gateway API URL
- Add the SCEP Shared Secret
- Upload the SCEP Signing Certificate
- Configure SCEP Payload that is sent to devices
- Specify which devices receive the Payload
- Optional: Configure Payloads for certificate application settings like Wi-Fi, VPN, Application Access…etc.
To learn more about how our SCEP Gateway integrates with MDMs, check out our Managed Device Solutions Page.
How Does SCEP Work with Windows?
Microsoft WSTEP Protocol
Developed by Microsoft, the WS-Trust X.509v3 Token Enrollment Extensions Protocol (WSTEP) has the same basic premise as SCEP; creating a secure connection between MDM and devices for sending data. While SCEP works for most MDMs, it does not work for Microsoft GPO. This is where WSTEP comes into play, as it’s the standard for auto-enrolling Active Directory Managed Devices with certificates. SecureW2 offers an easy-to-configure WSTEP Gateway API that many organizations use today for their AD domain-joined devices.
Integrating SCEP and Microsoft Intune
While Microsoft GPO may not natively support SCEP, Microsoft Intune can be configured to distribute certificates with SCEP. Through the gateway, devices can receive configuration profiles so they can request to enroll themselves for certificates.
Configuring Intune to work with SCEP is quite similar to how most MDMs use our SCEP Gateway API. Click here to see our integration guide for enrolling SCEP certificates on Intune with SCEP.
SCEP Certificate Device Wi-Fi Authentication
For many organizations with MDMs, making sure each device is authenticated takes a lot of time and resources. SCEP automates the certificate enrollment process, so authenticating is streamlined. EAP-TLS is the standard authentication method for devices enrolled for SCEP certificates, because it’s the industry standard for certificate-based Wi-Fi authentication.
EAP-TLS Authentication Benefits
EAP-TLS is considered one of the best methods of authentication because it eliminates the need for credentials and doesn’t require any end user interaction. The device auto-detects the secure server through the SCEP gateway and can begin enrolling for a certificate immediately.
SCEP vs EST
Enrollment over Secure Transport (EST) is considered an evolution of SCEP because EST requires TLS client-side device authentication. SCEP uses the Shared Secret protocol and CSR to start enrolling certificates. Both EST and SCEP are great methods for automated certificate enrollment on managed devices, but the difference lies in whether TLS is used for authentication.
One thing to note, is that EST has seen a lot of market penetration with IoT devices. SecureW2 works with IoT manufacturers that don’t support EST or SCEP natively so that their software and devices can easily enable them in the software stack or custom deliver protocol options. Devices can then come either pre-loaded with certificates to customers, or customers can use SecureW2’s managed PKI to generate their own and enroll all their devices (IoT, BYOD, or Managed) for certificates.
SCEP vs ACME
Automated Certificate Management Environment (ACME) is very similar to SCEP in regards to certificate management. ACME installs a certificate management tool, which generates a key pairing that can validate the CA and organization. Once validated, the management tool will be able to request certificates by generating and signing CSRs that will be sent to the CA. With the ACME protocol, organizations are able to have their managed devices automatically request certificates from the CA.
Like EST, ACME is relatively new and the amount of deployment requests we have received for ACME are nowhere near the amount of SCEP requests. The fact of the matter is that the SCEP protocol is more widely recognized and used.
SCEP vs CMP and CMC
Certificate Management Protocol (CMP) and Certificate Management over CMS (CMC) are both similar to SCEP structurally, but handle different aspects of digital certificates. SCEP and EST mainly cover the enrollment and issuance of certificates, while CMP and CMC mainly cover certificate management, including revocation, status, and request.
SecureW2’s JoinNow solutions employ the SCEP gateway to distribute certificates, and the Management Portal allows you to manage issued certificates accordingly. The whole certificate process can be managed easily from anywhere.
Enrolling Devices For Certificates with SCEP Gateway and SecureW2
Using certificates for your network is a vital move for many organizations, and certificates lift a huge burden off IT in MDM environments. Certificates will need to be distributed onto every managed device for certificate-based authentication to work, but it can be done really quickly and easily with our SCEP Gateway API. Configuring the SCEP Gateway to allow managed devices to request certificates can seem like a daunting and expensive task, but SecureW2 offers an affordable and easy solution. Click here to see how much you can improve your Security ROI with SecureW2.
The post Simple Certificate Enrollment Protocol (SCEP): Explained appeared first on SecureW2.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Samuel Metzler. Read the original post at: https://www.securew2.com/blog/simple-certificate-enrollment-protocol-scep-explained/