SCEP Protocol Integration

This section details the API endpoints for the Simple Certificate Enrollment Protocol (SCEP) implementation. SCEP is a widely used protocol for automated certificate enrollment and renewal, particularly in mobile device management (MDM) and network access control (NAC) solutions. This integration enables devices to securely obtain and manage their digital certificates from the PKI system.

Key Functionalities

Handle SCEP GET Requests

  • Endpoint: GET /api/v1/scep
  • Description: Processes SCEP GET operations, which typically include:
    • GetCACaps: Retrieves the capabilities of the SCEP server (e.g., supported cryptographic algorithms, message types).
    • GetCACert: Retrieves the Certificate Authority (CA) certificate(s) used by the SCEP server.
    • GetNextCACert: Retrieves the next CA certificate in a rollover scenario, allowing clients to prepare for CA key changes.
  • Parameters:
    • operation (required, string): Specifies the SCEP operation to perform.
    • message (optional, string): Additional message content, depending on the operation.
    • ca_id (optional, integer): The ID of the specific CA to query.
  • Response: Returns the appropriate SCEP response (e.g., CA certificates, capabilities) with application/x-x509-ca-cert or application/x-pkcs-certs content types.

Handle SCEP POST Requests

  • Endpoint: POST /api/v1/scep
  • Description: Processes SCEP POST operations, primarily PKIOperation, which is used for certificate enrollment and re-enrollment requests.
  • Parameters:
    • operation (optional, string, defaults to PKIOperation): Specifies the SCEP operation.
    • message (required, request body): The SCEP message, typically a PKCS#7 enveloped data containing a PKCS#10 CSR.
    • ca_id (optional, integer): The ID of the specific CA to use for enrollment.
  • Response: Returns a PKCS#7 enveloped data containing the issued certificate or a PKI status response.

Service Information

  • Endpoint: GET /api/v1/scep/info
  • Description: Provides detailed information about the SCEP service, including its version, status, supported operations, features, security aspects, and compatibility with MDM solutions.
  • Compatibility: Explicitly states compatibility with Microsoft Intune, iOS MDM, and Android Enterprise.
  • Statistics: Includes basic statistics like the SCEP CA used, certificates issued, and renewals processed.

Health Check

  • Endpoint: GET /api/v1/scep/health
  • Description: Provides a health status check for the SCEP service, indicating its operational state.

Get Configuration

  • Endpoint: GET /api/v1/scep/configuration
  • Description: Retrieves detailed configuration settings for the SCEP service, including supported operations, challenge password requirements, default validity periods, and setup instructions for platforms like Microsoft Intune.
  • Access Control: This endpoint is restricted to authenticated users or when the application is in debug mode, ensuring sensitive configuration details are not publicly exposed.
  • Example URLs: Provides example URLs for interacting with the SCEP GET operations.

Inferred Specifications

  • RFC 8894 Compliance: The system fully implements the Simple Certificate Enrollment Protocol (SCEP) as defined in RFC 8894, ensuring broad interoperability with SCEP clients.
  • Automated Certificate Enrollment and Renewal: SCEP integration enables automated enrollment of new certificates and renewal of existing ones for devices and applications, significantly reducing manual administrative tasks.
  • Challenge Password Support: Supports the use of challenge passwords within SCEP requests, adding an extra layer of security for certificate enrollment.
  • CA Key Rollover Support: The GetNextCACert operation facilitates smooth transitions during CA key rollovers, allowing clients to update their trust anchors proactively.
  • PKCS#7 Security: Utilizes PKCS#7 for secure message exchange, ensuring the confidentiality and integrity of SCEP messages.
  • MDM Integration: Explicitly designed for compatibility with leading Mobile Device Management (MDM) solutions (Microsoft Intune, iOS MDM, Android Enterprise), making it ideal for large-scale device certificate provisioning.
  • Comprehensive Service Metadata: Provides rich metadata about the SCEP service's capabilities, security features, and compliance, aiding in client integration and auditing.
  • Secure Configuration Access: Sensitive SCEP configuration details are protected, accessible only under controlled conditions.
  • Audit Logging: All SCEP operations and significant events are logged for security, compliance, and troubleshooting purposes (implied by the ScepService and overall system design).
  • Configurable Parameters: Supports configurable parameters such as challenge_password_required, default_validity_days, and renewal_threshold_days.

Vous n'avez pas envie de la manager ?

Découvrir notre offre PKI As A Service