The Simple Certificate Enrollment Protocol (SCEP) facilitates automated certificate issuance and management for IoT devices. SCEP is commonly used in MDM systems, mobile phones, and networking equipment. SCEP is defined in RFC 8894.
SCEP in Device Trust Manager adheres to the specifications outlined in RFC 8894. Although the final RFC was published in the year 2020, the implementation continues to support functionalities as defined in version 23 of the original draft, which is widely used in the industry.
Device Trust Manager supports the following SCEP specifications:
All mandatory operations specified in section 2.9 Mandatory-to-Implement Functionality.
Encryption of SCEP messages using RSA recipient public keys, as outlined in section 3.1 SCEP Message Object Processing.
Nota
Device Trust Manager does not support the use of ECDSA keys for SCEP operations.
Review the Authentication policy concept page.
Review the Certificate management policy concept page.
Review the Integrate with Certificate Issuance APIs page.
Before configuring SCEP in Device Trust Manager, contact your DigiCert ONE account representative to set up your account.
To successfully use SCEP enrollment in Device Trust Manager, a DigiCert®system administrator must first ensure the proper configuration of your Certificate Authority (CA) infrastructure. This involves setting up both Root and Intermediate CAs in 1.702.0 with specific settings to support SCEP operations.
In CA Manager, a DigiCert® system administrator must configure:
Both the Root CA and the Intermediate CA to use the RSA key type.
The Intermediate CA with the option enabled.
Nota
If you are missing any of the above, contact your DigiCert ONE account representative.
To perform the following steps in Device Trust Manager, you must have the Solution Administrator role.
Sign in to Device Trust Manager as a Solution Administrator.
Create an Authentication Policy, then add authentication credentials. See Create an authentication policy.
Create a Certificate Management Policy. See Create a certificate management policy.
Click to open the General settings of the certificate management policy wizard.
Enter a Name for the certificate management policy.
Choose a Division to assign the policy to.
Choose the device group association for the policy:
Select This certificate management policy will always be used with a device group to link certificates with device records. This association enables automated renewals, secure updates, and threat monitoring. If you select this option, you need an Advanced license plan. Also if you select this option, ensure to complete the Create a device group procedure.
Select This certificate management policy will not be used with a device group to issue standalone certificates that are not linked to device records, which limits additional management capabilities. If you select this option, you need an Essentials license plan.
Select the Authentication Policy you created earlier from the dropdown field. The Authentication Policy will verify the credentials the SCEP client uses when communicating with the Device Trust Manager’s SCEP service.
Select SCEP (Simple Certificate Enrollment Protocol) from the Certificate management methods.
Click Next to proceed to the certificate settings.
Choose a Certificate profile that defines the certificate structure, including subject fields, extensions, and validity period.
Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.
Set the Keypair generation preferences.
You can set whether you want the private key to be generated on the device or generated server-side and passed on to the device in the response to the SCEP certificate request.
Click Next to proceed to Usage Restrictions.
Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.
Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.
Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.
Click Finish to complete the certificate management policy.
Next, obtain the SCEP endpoint so that you can use it with an SCEP client.
In Device Trust Manager, select Certificate management > Certificate management policies.
Click the name of the SCEP-enabled Certificate Management Policy.
On the Certificate Management Policy details page, navigate to the SCEP section.
In the SCEP section, copy the Enroll/reenroll endpoint URL.
Now that you have the SCEP endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform SCEP enrollment.
Both TrustCore SDK and TrustEdge include an SCEP client that works with DigiCert® Device Trust Manager.
Give the TrustEdge SCEP client example a try.