Simple Certificate Enrollment Protocol (SCEP) is described by the informational. Older versions of this protocol became a de facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment. The protocol has been designed to make the request and issuing of digital certificates as simple as possible for any standard network user. These processes have usually required intensive input from network administrators, and so have not been suited to large-scale deployments.

Popularity

The Simple Certificate Enrollment Protocol still is the most popular and widely available certificate enrollment protocol, being used by numerous manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday users. It is used, for example, by the Cisco Internetworking Operating System (IOS), though Cisco promotes the Enrollment over Secure Transport (EST), with additional features, and iPhones (iOS) to enroll in enterprise public key infrastructure (PKI). Most PKI software (specifically RA implementations) supports it, including the Network Device Enrollment Service (NDES) of Active Directory Certificate Service and Intune.

Criticism

History

SCEP was designed by Verisign for Cisco as a lean alternative to Certificate Management over CMS (CMC) and the very powerful but also rather bulky Certificate Management Protocol (CMP). It had support from Microsoft early with its continuous inclusion in Windows starting with Windows 2000. In around 2010, Cisco suspended work on SCEP and developed EST instead. In 2015, Peter Gutmann revived the Internet Draft due to SCEP widespread use in industry and in other standards. He updated the draft with more modern algorithms and corrected numerous issues in the original specification. In September 2020, the draft was published as informational, more than twenty years after the beginning of the standardization effort. The new version also supports enrollment of non-RSA certificates (e.g., for ECC public keys).