Understanding Simple Certificate Enrollment Protocol SCEP

As we have discussed, public-key technology is widely used today and is incorporated in various standards-based security protocols. This increasing emphasis on public-key technology makes it all the more important that there be a certificate management protocol that PKI clients and CA servers can rely on to support all certificate life-cycle operations. Simple Certificate Enrollment Protocol (SCEP), illustrated in Figure 14-8, addresses the need for a certificate management protocol to handle certificate enrollment and revocation, as well as certificate and CRL access. The goal of SCEP is to provide a scalable means to support the secure issuance of certificates, while using existing technology wherever possible. One current use of SCEP is in IPSec VPNs, where it is used by IPSec VPN endpoints for certificate enrollment. This represents a significant improvement over manual/file-based enrollment.

Figure 14-8 SCEP

Use of the Simple Certificate Enrollment Protocol (SCEP)

Step 1

Step 1

cerCertificate crrrrertificate Crrrertificate this is a cert Ificate a

Certificate

SCEP

Signed Certificate cerCertificate crrrrertificate Crrrertificate this is a cert Ificate a cerCertificate crrrrertificate Crrrertificate this is a cert Ificate a cerCertificate crrrrertificate Crrrertificate this is a cert Ificate a

PKCS#7

Step 2

Step a

• Cisco PKI communication protocol used for VPN PKI enrollment.

• Uses the PKCS#7 and PKCS#10 standards.

Let's examine the enrollment transaction in greater detail:

1. An end entity creates a certificate request using PKCS #10.

2. The request is enveloped using PKCS #7 and is sent to the CA or RA based on the topology in place.

3. When the CA or RA receives the request, either it is automatically approved and the certificate is sent back, or the end entity has to wait until the operator can manually authenticate the identity of the requesting end entity.

0 0

Post a comment