Configure and use SCEP
To perform this action, you must have a user role that contains the Solution administrator
permission.
The Simple Certificate Enrollment Protocol (SCEP) facilitates automated certificate issuance and management for IoT devices. SCEP is commonly used in MDM systems, mobile phones, and networking equipment. SCEP is defined in RFC 8894.
SCEP in Device Trust Manager adheres to the specifications outlined in RFC 8894. Although the final RFC was published in the year 2020, the implementation continues to support functionalities as defined in version 23 of the original draft, which is widely used in the industry.
Device Trust Manager supports the following SCEP specifications:
All mandatory operations specified in section 2.9 Mandatory-to-Implement Functionality.
Encryption of SCEP messages using RSA recipient public keys, as outlined in section 3.1 SCEP Message Object Processing.
Anmerkung
Device Trust Manager does not support the use of ECDSA keys for SCEP operations.
Before you begin
Ensure you've reviewed the following concepts:
Before configuring SCEP in Device Trust Manager, contact your DigiCert account representative to set up your account.
To successfully use SCEP enrollment in Device Trust Manager, a DigiCert®system administrator must first ensure the proper configuration of your Certificate Authority (CA) infrastructure. This involves setting up both Root and Intermediate CAs in 1.702.0 with specific settings to support SCEP operations.
In CA Manager, a DigiCert® system administrator must configure:
Both the Root CA and the Intermediate CA to use the RSA key type.
The Intermediate CA with the option enabled.
Anmerkung
If you are missing any of the above, contact your DigiCert account representative.
Configure SCEP in Device Trust Manager
Create an Authentication Policy, then add authentication credentials to it. See Create an authentication policy.
In the Device Trust Manager menu, go to Certificate management > Certificate management policies.
Select General settings of the certificate management policy wizard. to open the
Enter a Name for the certificate management policy.
Choose a Division to assign the policy to.
Select the required Certificate management model.
From the Certificate management methods, choose SCEP (Simple Certificate Enrollment Protocol).
Select an Authentication policy if required for EST, SCEP, CMPv2, or ACME methods.
Click Next to proceed to the certificate settings.
Select an End entity certificate profile (defines the certificate structure, including subject fields, extensions, and validity period) or an intermediate certificate profile (signs the certificates issued under this policy).
Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.
Set the Keypair generation preferences.
You can set whether you want the private key to be generated on the device or generated server-side and passed on to the device in the response to the SCEP certificate request.
Click Next to proceed to Usage Restrictions.
Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses. Specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.
Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.
Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.
Click Finish to complete the certificate management policy.
Obtain the SCEP endpoint
Next, obtain the SCEP endpoint so that you can use it with an SCEP client.
In the Device Trust Manager menu, go to Certificate management > Certificate management policies.
Select the SCEP certificate management policy you have created.
On the Certificate management policy details page, navigate to the SCEP section.
Under the SCEP section, copy the Enroll/reenroll endpoint URL.
Use SCEP
Now that you have the SCEP endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform SCEP enrollment.
Both TrustCore SDK and TrustEdge include an SCEP client that works with DigiCert® Device Trust Manager.
Give the TrustEdge SCEP client example a try.