Home |  Forum |  Submit Software |  Submit Book |  Link to Us |  Contact us  |   Sitemap

  Topics
Software
Books
Network Basics
Glossaries
SNMP
Networking
Links
  Forums
SnmpTools.net forum
  Search for Software

  Other
Submit Software
Submit Book
Link to Us
Contact Us

 


  Visit ActiveSocket Web Site
  Download ActiveSocket Network Communication Toolkit

SCEP (Simple Certificate Enrolment Protocol) - an explanation

SCEP was developed by the IPSec community to overcome the problem of enrolling certificates for routers and other network devices. SCEP is widely supported both on the client and the server sides. SCEP uses PKCS #10 as the certification request format and PKCS #7 as the digital envelope syntax. HTTP is used as the transport protocol.A prerequisite for SCEP enrolment is that the end entity must have the appropriate CA certificate. This needs to be verified using some offline method (fingerprint check) in order to prevent man-in-the-middle attacks, in which a third party impersonates the CA. The initial end-entity authentication in SCEP is done either manually or by using shared secrets. When using a shared secret scheme, the CA administrator generates a one-time password for the entity and distributes the password to the entity in a secure way. When the entity generates the certification request, it includes the password in the request. After approving the request the CA issues the certificate and packs it to a PKCS #7 cryptographic packet and sends it to the end user (and possibly publishes the certificate to a directory).