SCEP in CapaOne

What is SCEP ?

The overall purpose for SCEP is to provide means for a client to retrieve a certificate from a certificate authority, without user/administrator interaction.

Simple Certificate Enrollment Protocol - Wikipedia

The idea is that an administrator configures the SCEP server to allow creation of a certificate for any client that has the right “recipe“ for requesting a certificate. This “recipe“ (the SCEP configuration) is individual and each customer has it’s own PKI infrastructure and “recipes“ for doing this.

Usage of SCEP

SCEP can be used for anything that needs certificates. But it is often used for trusting devices and users.

SCEP setup principle

SCEP servers NDES

Microsoft PKI infrastructure often uses NDES servers, but other systems might also be used.

Trust issues

As the SCEP servers often is issuing certificates coming from the customers PKI infrastructure, which doesn’t have globally trusted certificates it is often a must that the devices negotiatingthe certificate has trust to the Certificate Authority and also have the blow issuing certificates. These certificates (public keys) must be provided as part of the configuration that will use the SCEP certificate in order to gain full chain of trust.

Access to SCEP server

As the SCEP servers often is inside premises of a customer it can be a problem for a non trusted device to reach the SCEP server through an url. This can sometimes be compensated by using enrolling access points which only allow very limited access to the servers needed for enrollment or some use SIM cards having Access Point Network connections to the internal SCEP server.

Another often caused problem can be that the internal SCEP server is Transport Layer Security protected by not globally trusted certificates. If this is the case it might be needed to make configuration that also adds chain of trust certificates to the configurations.

Please also mind that mobile devices does not necessarily guarantee trust for SCEP connections trusting the CA certificate only. This mean that you can not rely on the device will automatically download the certificate chain, and by that gain trust to the TLS connection.

Setup of SCEP server

The SCEP server must be configured to use a static secret as mobile devices doesn’t support more advanced certificate negotiations.

Wifi setup with SCEP

Advanced Wifi setup can use a certificate for authentication.

The certificate is either a created certificate which is distributed to the devices that needs it, or it can be a SCEP profile in which gets a device specific certificate.

After an advanced Wifi is setup with configurations for SSID, WPA, Enhanced Authentication Protocol (EAP) TLS, and various other settings. It can try to connect to a Wifi access point matching the SSID.

Apple

In Apple it is important to note that Apple devices does not support have any automatic re-negotiating when the certificate is about to expire. So in order to re-negotiate the certificate you must reapply the SCEP/Wifi profile.

Android

In order to make SCEP working on Android devices (which doesn’t support SCEP), you must install the CapaOne agent (CapaOne Agent) which can make the actual SCEP negotiation.

Common problems and debugging

In general it can be difficult to configure and debug SCEP.

As the PKI infrastructure is not trusted on mobile devices, it is a must that the entire chain of trust is known for the certificates which is used in the solution. The entire Chain of trust includes from the SCEP server (TLS protection) of the server and the Radius server (TLS protection).

The open network standard states that the entire Chain of trust must be pre-verified in the configuration otherwise the end user will be prompted for verification, before the Wifi connection is established.

The pre-verification of the certificates must be configured inside the Wifi profile, by referencing the Certificates payloads.