by Christian T. Drieling – 4. August 2017

Customers often ask why SCEP is done by HTTP and not HTTPS because they think it is insecure, so let me explain how the process is working:

Process of getting a successful SCEP Certificate

1. Client asks CA for the Public Certificate of the CA
2. Client compares CA Certificate with Fingerprint (delivered by config)
3. Client requests his certificate on HTTP with a Base64 encoded and Signed Package, including the following data

a) Signature
b) Client Certificate
c) Signed and unencrypted data (PKCS7) – including the following data:

I. List of Recipients and per recipient encrypted Encryption Key (CA is Recipient)

II. Encrypted Data (PCKSC10)

        • Subject Name
        • Public Key of Client
        • Challenge password
        • Requested Extentions
        • Signature Algorithm
        • Digital Signature

If the request was successful, the CA will send following data over HTTP to the Client:

  1. Version
  2. Hashing Algorithm
  3. CA Certificate
  4. Digital Signature
  5. Signed and unencrypted data – including the following data:
    • Version
    • List of Recipients
    • Encrypted Data – including the following data:
      • Issued x.509 Certificate

So you can see, all security relevant information is wrapped into encrypted containers.

By Udo