Security Encyclopedia

Simple Certificate Enrollment Protocol (SCEP)

Simple Certificate Enrollment Protocol (SCEP) is an open source protocol that is widely used to make digital certificate issuance at large organizations easier, more secure, and scalable.

Using this protocol, SCEP servers issue a one-time password (OTP) to the user transmitted out-of-band (OOB). The user generates a key pair, and sends the OTP and certificate signing request to the SCEP server, which validates it, signs it, and makes the signed certificate available to the user. The user then contacts the SCEP server for the certificate and as it is available, the user can fetch it and install it as needed.

Prior to SCEP and similar protocols such as Certificate Management Protocol and Certificate Management over CMS, digital certificate issuance was labor-intensive. Microsoft and Cisco are two vendors whose products support SCEP, lending to the protocol’s ubiquity at the large-enterprise level.

SCEP was dormant around 2010, having been abandoned by its developers, until it experienced a revival around 2015. It is currently a draft, accessible to all, as part of the work done by the Internet Engineering Task Force (IETF), an open-source community.

Example:

“As we grew our organization, and to aid onboarding, we introduced SCEP-based certificate issuance so our admins wouldn’t need to manually issue certificates or actively oversee this. It was a meaningful part of the admin task automation that was necessary once our internal population became challenging to manage manually.”