Simple Certificate Enrollment Protocol (SCEP) Explained
Simple Certificate Enrollment Protocol, or SCEP, is really a protocol which allows products to easily enroll for the certificate using a URL and a shared secret to keep in touch with a PKI. Mobile Device Management (MDM) software commonly uses SCEP for products by pushing a payload containing the SCEP URL and shared secret to managed devices. This might conserve an administrator considerable time and effort set alongside the alternative of manually enrolling their devices that are managed certificates.
Aspects of a SCEP Gateway
Here, we will go over the core components within the SCEP gateway.
SCEP Gateway API URL
Simple Enrollment that is certificate Protocol devices just how to keep in touch with the PKI, through the use of a Gateway API Address. Customers SecureW2 that is using can produce a SCEP Gateway API URL with this software. Then, they can place this URL within their MDM so it can deliver a payload to devices they wish to register on their own for client certificates.
SCEP Shared Secret
A Shared Secret is a password that is case-sensitive between the SCEP host and Certificate Authority (CA). This shared key verifies the CA with the right server for signing certificates. With SecureW2вЂ™s solution, the product presents the provided secret to your Managed PKI and then the certificate enrollment happens on the unit.
SCEP Certification Request
When the SCEP gateway is established and also the Shared Secret is provided between the SCEP server and CA, it is possible to produce and distribute a configuration profile that may enable handled devices to auto-enroll for certificates. The device will send a certificate enrollment back through the SCEP gateway towards the CA. When authenticated, a signed certificate will be deployed onto the unit.
SCEP Signing Certificate
Many MDMs need you to upload a SCEP signing certification, finalized by the CA issuing certificates, that features the certificate that is entire (signing certificate, Intermediate CA, R t CA). SecureW2 makes it easy to make a signing certificate in SecureW2, simply find the CA certificates that are issuing a PKCS12 file are generated for you to upload into your MDM.
SCEP Device Enrollment Process
Enrolling for SCEP involves validating a CA and delivering A certificate signing request (CSR) from your MDM user interface. Finding a content for the CA certificate is a must for SCEP to precisely relay the CSR and customer enrollment in general. You can examine the SCEP host to confirm the certificate ended up being finalized by the CA.
One of the keys is starting a appropriate ca to fulfill the requirements for the SCEP Gateway, which we now have outlined below.
Just how to Configure SCEP
SCEP is designed to automate the certificate enrollment process while making it easier for organizations with MDMs. Below is a quick breakdown of configuring SCEP for MDM networks running on certificates making use of SecureW2вЂ™s JoinNow Suite, a cloud-based solution for managed devices.
Building the SCEP Gateway
The SecureW2 Management Portal has got the components that are necessary deploy a SCEP Gateway with any major MDM. In less than 30 minutes, it is possible to produce the following
Produce a Personalized Private Intermediate CA within the SecureW2 Management Portal. Create a CA that is signing by the Intermediate CA. Generate the SCEP Gateway API Address and Shared Secret. Optional Configure Personalized Certificate Templates and Enrollment Policies.
Configuring SCEP in Your MDM
Now that we have all of the components, it is time to piece every thing together generate the SCEP Gateway. Typically MDMs have actually a dedicated SCEP setup section. Jamf is certainly one of the most popular Technology Partners, as well as have excellent support that is SCEP are widely used over the industry. Below is definitely an example image of where you are able to configure SCEP settings in Jamf. To learn more regarding how our SCEP Gateway integrates with Jamf, follow this link.
To find out more exactly how our SCEP Gateway integrates with MDMs, have a l k at our Managed Device Solutions Page.
How Does SCEP Assist Windows?
Microsoft WSTEP Protocol
Developed by Microsoft, the WS-Trust X.509v3 Token Enrollment Extensions Protocol (WSTEP) has the same basic premise as SCEP; making a safe connection between MDM and devices for giving information. While SCEP works for most MDMs, it doesn’t work for Microsoft GPO. This is how WSTEP is necessary, because itвЂ™s the conventional for auto-enrolling Active Directory Managed Devices with certificates. SecureW2 offers an easy-to-configure WSTEP Gateway API that numerous businesses utilize today due to their advertisement domain-joined products.
Integrating SCEP and Microsoft Intune
While Microsoft GPO may well not support SCEP, natively Microsoft Intune could be configured to circulate certificates with SCEP. Through the gateway, devices can receive configuration profiles to allow them to request to enroll on their own for certificates.
Configuring Intune to work with SCEP is very much like just how most MDMs utilize our SCEP Gateway API. Follow this link to see our integration guide for enrolling SCEP certificates on Intune.