Online help

SCEP - Simple Certificate Enrolment Protocol

The protocol for the simple enrolment of certificates increases the scalability of the enrolment for large-scale network environments with PKI (public key infrastructure). Besides the initial enrolment of the certificates, the regular renewal of the certificates is also supported. The client will send an automated request for the renewal of a certificate to the SCEP server with this, if the remaining lifetime of the certificate falls below a certain threshold. To increase security, this allows a significantly shorter lifetime of a certificate as it would be practicable with manual generation and enrolment. The presence of certificate revocation lists (CRLs) on te SCEP server can be queried in regular intervals.

All certificates, keys and certificate revocation lists obtained via SCEP are available in the respective dropdown lists for selection. The SCEP instance, which retrieves the necessary certificate, needs to be selected.

If an SCEP server is configured and the profile will be activated, the sequence will be as follows:

  • The client generates its own private key
  • The client generates a certificate signing request (CSR)
  • The client retrieves the CA certificate from the SCEP server
  • The client sends the certificate signing request in PKCS#10 format within the scope of an "Enrolment" to the SCEP server
  • The SCEP server approves the Enrolment either by administrator intervention or automated upon authorisation using a challenge password; then, it generates the client certificate and signs it with the CA
  • The client polls regularly (parameter Time interval for automatic enrolment and renewal) the SCEP server to check, whether the Enrolment has been approved, and retrieves the certificate if this is the case
  • The client checks regularly the remaining lifetime of its certificate and sends within the scope of a "Renewal" a new CSR, if the remaining lifetime has fallen below a certain threshold (parameter Share of lifetime before automatic renewal); if the new certificate retrieved upon this is already valid, the client will replace its certificate by the new certificate; if it is not yet valid, it will be replaced as soon as the new certificate becomes valid
  • The client checks regularly, whether a new certificate revocation list (CRL) is available on the SCEP server (parameter Time interval for CRL check) and retrieves this if this is the case
  • If a new CRL is received, it will be checked, whether the own certificate has been revoked in it; if this is the case, a new CSR will be generated and sent to the server
In case the validity of the CA certificate is expiring, the CA certificate as well as the client certificate will be replaced within the scope of a "Rollover".

Client certificate and key, CA certificate and CRL will not be stored in the profile of the router and can therefore not be duplicated by downloading the binary profile and uploading it again to another router.

There is no way (such as web interface, CLI, ASCII configuration or binary configuration) to download the private key from the router!

The current condition of each SCEP instance is indicated in the web interface of the router in the Administration menu on the SCEP page under Status. The following conditions are possible:

  • Inactive
  • Not in running profile
  • Generating private key
  • Downloading CA certificate
  • Waiting for certifacte approval
  • Certificate exists
  • Certificate and CRL exist
  • Error: configuration invalid
  • Error: unable to generate private key
  • Error: unable to generate CSR
  • Error: unable to download CA certificate
  • Error: unable to download certificate
  • Error: failed to verify certificate
  • Error: unable to download CRL
  • Error: certificate has been revoked

Back to overview