Simple Certificate Enrolment Protocol
(SCEP)
The next generation of Certificate Automation
Simple Certificate Enrolment Protocol (SCEP) is an open-source protocol that allows devices to easily enrol certificates from a PKI using a securely encrypted URL. It is widely used to make digital certificate issuance at large organisations easier, more secure, and scalable.
Cogito Group’s implementation of SCEP, through Jellyfish, is fully compliant with RFC 8894, and the Cryptographic Message Syntax defined within.
Use Cases for SCEP
There are some key use cases for an organisation to the SCEP protocol. This includes:
- Wifi Authentication
- VPN Authentication
- Client/Server authentication
- Secure Email
- Access to Managed Company Resources
Products that primarily use SCEP for Automatic Enrolment
SCEP is the primary method of automatic enrolment for devices deployed through:
- Microsoft Intune
- Autopilot
- Company Portal software
SCEP is also favoured among:
- Linux
- Mobile
- ‘Internet of things’ devices like Office Phones and Printers.
SCEP Intune Verification Process
How does it work?
The process involves a three step ‘handshake’ in which the device:
1. Determines the capabilities of the SCEP server.
2. Verifies the authenticity of the servers SCEP certificate.
3. Submits a CSR for issuance to the CA.
What about InTune and NDES?
MS Intune also offers the ability to use the NDES protocol instead of SCEP, but this method is becoming less popular due to a number of limitations with this connection method. Cogito used to provide an NDES based service but this has been retired in favour of the SCEP service.
Cogito is a Microsoft third-party certification authority partner. You can learn more about adding the Cogito Group certification authority in Intune by going to the following page: Use third-party certification authorities (CA) with SCEP in Microsoft Intune | Microsoft Learn