Simple Certificate Enrolment Protocol

(SCEP)

The next generation of Certificate Automation

Simple Certificate Enrolment Protocol (SCEP) is an open-source protocol that allows devices to easily enrol certificates from a PKI using a securely encrypted URL. It is widely used to make digital certificate issuance at large organisations easier, more secure, and scalable.

Cogito Group’s implementation of SCEP, through Jellyfish, is fully compliant with RFC 8894, and the Cryptographic Message Syntax defined within.

Use Cases for SCEP

There are some key use cases for an organisation to the SCEP protocol. This includes:

  • Wifi Authentication
  • VPN Authentication
  • Client/Server authentication
  • Secure Email
  • Access to Managed Company Resources

Primary Method of Automatic Enrolment

SCEP is the primary method of automatic enrolment for devices deployed through:

  • Microsoft Intune
  • Autopilot
  • Company Portal software

SCEP is also favoured among:

  • Linux
  • Mobile
  • ‘Internet of things’ devices like Office Phones and Printers.

How does it work?

The process involves a three step ‘handshake’ in which the device:
1. Determines the capabilities of the SCEP server.
2. Verifies the authenticity of the servers SCEP certificate.
3. Submits a CSR for issuance to the CA.

The Three Step SCEP Handshake

What about InTune and NDES?

MS Intune also offers the ability to use the NDES protocol instead of SCEP, but this method is becoming less popular due to a number of limitations with this connection method. Cogito used to provide an NDES based service but this has been retired in favour of the SCEP service.

Cogito is a Microsoft third-party certification authority partner. You can learn more about adding the Cogito Group certification authority in Intune by going to the following page: Use third-party certification authorities (CA) with SCEP in Microsoft Intune | Microsoft Learn

Read more about the PKI Knowledge Base with AEX, ACME+ and API

Download our SCEP Fact Sheet below