The Simple Certificate Enrollment Protocol (SCEP) is a Cisco, Verisign,
Entrust, Microsoft, Netscape, and Sun Microsystems initiative that provides a
standard way of managing the certificate life cycle
. This initiative
is important for driving open development for certificate handling protocols
that can be interoperable with devices from many vendors. More information
about SCEP can be found at the weblinks below.
The Manual Enrollment Process
Two authentication methods that
SCEP provides are manual authentication and authentication based on pre-shared
secret keys. In the manual mode, the end entity submitting the request is
required to wait until the CA operator using any reliable out-of-band method
can verify its identity. An MD5 fingerprint generated on the PKCS #10 request
must be compared out-of-band between the server and the end entity. SCEP
Clients and CAs must display this fingerprint to a user to enable this
verification if manual mode is used.
Enrollment Using Pre-shared
Keys
When utilizing a pre-shared secret scheme, the server should
distribute a shared secret key to the end entity which can uniquely associate
the enrollment request with the given end entity. The distribution of the
secret must be private. Only the end entity should know this secret. When
creating the enrollment request, the end entity is asked to provide a challenge
password. When using the pre-shared secret scheme, the end entity must type in
the re-distributed secret as the password. In the manual authentication case,
the challenge password is also required since the server may challenge an end
entity with the password before any certificate can be revoked. Later on, this
challenge password is included as a PKCS #10 attribute, and is sent to the
server as encrypted data. The PKCS #7 envelope protects the privacy of the
challenge password with DES encryption.