With an enterprise CA being such a critical (and large) infrastructure for organizations, organizations are constantly looking for ways to simplify and streamline the certificate and key management process- with one popular integration being with the Simple Certificate Enrollment Protocol (SCEP). SCEP was designed by CISCO to get certificates onto a router or network switch. Most network switches do not have a documented identity that a CA can understand, process, or read. To address this, a SCEP server sits between the endpoint and the CA. The SCEP server requests a one-time password from the router, translates it into a format readable for the CA, and sends it to the CA for validation and certificate generation. The SCEP server then compares the one-time password from the unauthenticated side with the password issued from the trusted CA. This removes the manual translation of this information by a network administrator. Also, the KMES Series 3 requires that 2 administrators log into its CA system to approve the certificate issuance. These certificates give “permission” for the switch to be on the network.
Unfortunately, SCEP gained notoriety due to a major vulnerability which was announced in 2012, VU#971035. This notice states that “SCEP does not strongly authenticate certificate requests made by users or devices,” particularly as it relates to bring your own device (BYOD) technologies such as mobile phones or laptops. Integrating Futurex’s enterprise CA platform into one’s environment helps address this vulnerability and allows organizations to maintain the benefits of scalable and simple operations.
