Skip to main content

SCEP

DigiCert® Private CA supports enrollment and renewal of end entity certificates using the Simple Certificate Enrollment Protocol (SCEP).

중요

Make sure you have an end entity certificate template in DigiCert Private CA that fits your certificate requirements before you start creating a profile.

To create a SCEP profile in DigiCert Private CA:

  1. In the main menu, select Profiles.

  2. Select SCEP under Protocols.

  3. Enter a Profile name.

  4. [Optional] Add a Description for your profile.

  5. Select the Protocol version you prefer, from the available options.

  6. In Issuer ID, select the private intermediate certificate authority that you use for your certificate requests.

  7. Select a Certificate template ID. You can only use one template in a profile. Create multiple profiles for different templates or certificate settings.

  8. Select the Certificate validity details, like how many days, months, or years the issued certificates are valid for.

  9. Enter a value in days for your preferred Renewal window. Your private CA rejects any renewal requests outside this window.

  10. Select your Authentication method. You also need to set up this method in your certificate requesting client or registration authority.

  11. Select the Signature algorithm supported by the profile.

  12. Select the SCEP encryption type.

  13. Select Submit.

Your SCEP profile is saved.

Select Profiles in the main menu to see your saved profiles.

SCEP URL

To copy the URL, select a profile and go to the Profile details page.

You must configure this URL in your SCEP clients to request certificates from your private CA.

A SCEP URL in DigiCert® Private CA is structured as follows:

https://<your-ca-domain>/certificate-authority/api/v1/scep/<ProfileID>/cgi-bin/pkiclient.exe

Where:

  • https://<your-ca-domain> is the base domain of your DigiCert Private CA instance.

  • /certificate-authority/api/v1/scep/ is the standard path used by DigiCert Private CA for SCEP protocol communication. It identifies that the request is for a CA-managed SCEP endpoint.

  • <profile ID> is the unique identifier of the SCEP issuance profile. Each profile you create in DigiCert® Private CA gets its own automatically generated ID. This value determines which CA, certificate template, and issuance policy the request follows.

  • /cgi-bin/pkiclient.exe is the SCEP service endpoint that handles enrollment, renewal, and retrieval of certificates according to the SCEP (RFC 8894) standard. Most SCEP clients expect this exact path format.

이 섹션의 내용: