Configure SCEP enrollment
The Simple Certificate Enrollment Protocol (SCEP) facilitates automated certificate issuance and management for IoT devices. This guide covers the necessary steps to configure SCEP in DigiCert® IoT Trust Manager.
Aviso
IoT Trust Manager does not support the use of ECDSA keys for SCEP operations.
SCEP support in IoT Trust Manager
SCEP in IoT Trust Manager adheres to the specifications outlined in RFC 8894. Despite the final RFC being published in 2020, the implementation continues to support functionalities as defined in version 23 of the original draft, commonly used in the industry.
IoT Trust Manager supports the following SCEP specifications:
All mandatory operations specified in 2.9. Mandatory-to-Implement Functionality.
Encryption of SCEP messages using RSA recipient public keys, as outlined in 3.1. SCEP Message Object Processing.
To successfully use SCEP enrollment in IoT Trust Manager, you must first ensure the proper configuration of your Certificate Authority (CA) infrastructure. This involves setting up both Root and Intermediate CAs with specific settings to support SCEP operations.
Additionally, configuration steps must be completed within IoT Trust Manager to enable SCEP for a specific enrollment profile.
CA Manager Root and Intermediate CA requirements:
Both the Root CA and the Intermediate CA must use the RSA key type.
The Intermediate CA must have the Allow CA to decrypt and sign SCEP packets option enabled.
IoT Trust Manager enrollment profile requirements:
SCEP certificate enrollment method must be enabled on the enrollment profile. See Create enrollment profiles or Edit an enrollment profile.
Enrollment passcode or Authentication certificate configured for the enrollment profile. Make sure to save this passcode.
In the IoT Trust Manager menu, select Enrollment configuration > Enrollment profiles.
Click the name of the enrollment profile being used for SCEP.
On the Enrollment profile details page, scroll to the SCEP section.
In the SCEP section, copy the Enroll/reenroll endpoint URL.
Now that you have the SCEP endpoint and authentication method (enrollment passcode or authentication certificate), you can use them to perform SCEP enrollment.
Sugerencia
Ready to test your SCEP enrollment process? Try DigiCert® TrustEdge, a standalone executable that can run as both an agent for devices managed through DigiCert® Device Trust Manager or as a standalone command line tool.