Skip to main content

Enrollment protocols

Certificate enrollment or management protocols allow clients and devices to communicate directly with your private CA for certificate enrollment, renewal, and other advanced actions.

DigiCert® Private CA supports several industry-standard enrollment protocols that enable secure and automated certificate issuance.

These include:

  • Simple Certificate Enrollment Protocol (SCEP): Commonly used to automate certificate enrollment for devices and network systems.

  • Enrollment over Secure Transport (EST) protocol: Provides secure enrollment and renewal of certificates over HTTPS.

  • Certificate Management Protocol (CMP): Supports advanced certificate management operations for complex PKI environments.

  • Automated Certificate Management Environment (ACME): Supports advanced certificate management operations for complex PKI environments.

These protocols are implemented according to their respective IETF RFC specifications. This ensures interoperability with a wide range of enterprise systems, routers, and IoT devices that follow these standards.

Each protocol enables devices, routers, and management systems to request and manage end-entity certificates using the protocol natively supported by the client.

How it works

Across all protocols, certificate enrollment follows the same high-level lifecycle:

  1. A CA administrator creates a protocol-specific issuance profile in DigiCert Private CA.

  2. The profile defines certificate issuance policy and generates a unique Profile ID, which is embedded in the protocol endpoint.

  3. A client system (such as a device, application, or workload) connects to the protocol endpoint using a protocol-native client implementation.

  4. At runtime, the Profile ID in the endpoint determines which issuing CA, certificate template, and policies are applied to the request.

  5. The client system authenticates using the method defined in the profile.

  6. DigiCert Private CA validates the request and issues the certificate.

  7. The client system renews or revokes certificates using the same protocol.

Actions supported by each protocol

Which enrollment protocols are supported by DigiCert Private CA. What actions can I perform using ACME, CMP, EST and SCEP protocols? How to manage end entity certificates using protocols like ACME, CMP, EST, and SCEP?

When to use which protocol?

Protocol

Best for

Automation level

Typical environment

SCEP

Legacy or constrained devices

Low-Medium

Routers, switches, printers

EST

Secure device enrollment

Medium

MDM, IoT, enterprise endpoints

CMP

Full PKI lifecycle control

Medium-High

Telcos, defense, regulated PKI

ACME

Massive automation

Very High

Cloud, DevOps, servers, containers

In this section: