SCEP (Simple Certificate Enrolment Protocol) - an explanation

SCEP was developed by the IPSec community to overcome the problem of enrolling certificates for routers and other network devices. SCEP is widely supported both on the client and the server sides. SCEP uses PKCS #10 as the certification request format and PKCS #7 as the digital envelope syntax. HTTP is used as the transport protocol.A prerequisite for SCEP enrolment is that the end entity must have the appropriate CA certificate. This needs to be verified using some offline method (fingerprint check) in order to prevent man-in-the-middle attacks, in which a third party impersonates the CA. The initial end-entity authentication in SCEP is done either manually or by using shared secrets. When using a shared secret scheme, the CA administrator generates a one-time password for the entity and distributes the password to the entity in a secure way. When the entity generates the certification request, it includes the password in the request. After approving the request the CA issues the certificate and packs it to a PKCS #7 cryptographic packet and sends it to the end user (and possibly publishes the certificate to a directory).

The products referenced in this site are provided by parties other than SnmpTools.net. SnmpTools.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.

Let us know how we're doing - send us your comments by E-mail. Copyright ©1995-2007 SnmpTools.net. All rights reserved.