Skip to main content

Configure and use SCEP

The Simple Certificate Enrollment Protocol (SCEP) facilitates automated certificate issuance and management for IoT devices. SCEP is commonly used in MDM systems, mobile phones, and networking equipment. SCEP is defined in RFC 8894.

SCEP in Device Trust Manager adheres to the specifications outlined in RFC 8894. Although the final RFC was published in the year 2020, the implementation continues to support functionalities as defined in version 23 of the original draft, which is widely used in the industry.

Device Trust Manager supports the following SCEP specifications:

Anmerkung

Device Trust Manager does not support the use of ECDSA keys for SCEP operations.

Before you begin

Ensure you've reviewed the following concepts:

Before configuring SCEP in Device Trust Manager, contact your DigiCert account representative to set up your account.

To successfully use SCEP enrollment in Device Trust Manager, a DigiCert​​®​​system administrator must first ensure the proper configuration of your Certificate Authority (CA) infrastructure. This involves setting up both Root and Intermediate CAs in 1.702.0 with specific settings to support SCEP operations.

In CA Manager, a DigiCert​​®​​ system administrator must configure:

  • Both the Root CA and the Intermediate CA to use the RSA key type.

  • The Intermediate CA with the Allow CA to decrypt and sign SCEP packets option enabled.

    Anmerkung

    If you are missing any of the above, contact your DigiCert account representative.

Configure SCEP in Device Trust Manager

To perform the following steps in Device Trust Manager, you must have the Solution Administrator role.

  1. Sign in to DigiCert® ONE as a Solution Administrator.

  2. In DigiCert ONE , in the Manager menu (grid at top right), select Device Trust.

  3. Create an Authentication Policy, then add authentication credentials. See Create an authentication policy.

  4. Create a Certificate Management Policy. See Create a certificate management policy.

  5. Click Create certificate management policy to open the General settings of the certificate management policy wizard.

  6. Enter a Name for the certificate management policy.

  7. Choose a Division to assign the policy to.

  8. Select SCEP (Simple Certificate Enrollment Protocol) from the certificate management model.

  9. Select an Authentication policy if required for EST, SCEP, CMPv2, or ACME methods.

  10. Click Next to proceed to the certificate settings.

  11. Select an End entity certificate profile that defines the certificate structure, including subject fields, extensions, and validity period.

  12. Select an Intermediate certificate profile from the available options. This intermediate CA will sign the certificates issued under this policy.

  13. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

  14. Set the Keypair generation preferences.

    You can set whether you want the private key to be generated on the device or generated server-side and passed on to the device in the response to the SCEP certificate request.

  15. Click Next to proceed to Usage Restrictions.

    • Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.

    • Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.

    • Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.

  16. Click Finish to complete the certificate management policy.

Obtain the SCEP endpoint

Next, obtain the SCEP endpoint so that you can use it with an SCEP client.

  1. In Device Trust Manager, select Certificate management > Certificate management policies.

  2. Click the name of the SCEP-enabled certificate management policy.

  3. On the Certificate management policy details page, navigate to the SCEP section.

  4. In the SCEP section, copy the Enroll/reenroll endpoint URL.

Use SCEP

Now that you have the SCEP endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform SCEP enrollment.

Both TrustCore SDK and TrustEdge include an SCEP client that works with DigiCert® Device Trust Manager.

Give the TrustEdge SCEP client example a try.

In diesem Abschnitt: