Skip to main content

Concept

The SCEP enrollment method allows you to issue and manage certificates against a specific certificate profile using the SCEP protocol (Simple Certificate Enrollment Protocol). This method is suitable for provisioning certificates to network devices, mobile devices, printers, routers, and other endpoints that support the SCEP protocol. Infisical’s SCEP service is based on RFC 8894 and implements the following operations:
  • GetCACaps: returns the SCEP server’s supported capabilities (algorithms, features).
  • GetCACert: returns the RA (Registration Authority) certificate and the CA certificate chain in a PKCS#7 bundle.
  • PKIOperation: processes certificate enrollment requests (PKCSReq), renewal requests (RenewalReq), and certificate polling (GetCertInitial).
These SCEP endpoints are exposed under the /scep path and structured as: 
https://app.infisical.com/scep/{profile_id}/pkiclient.exe
For self-hosted Infisical instances, replace app.infisical.com with your instance’s domain.

Prerequisites

  • A SCEP-compatible client (e.g., sscep) or a network device with built-in SCEP support.
  • A certificate profile with a CA-issued issuer type.

Challenge Types

Infisical supports two challenge authentication modes for SCEP enrollment:
A single shared secret password is configured on the certificate profile. All SCEP clients must include this password in their certificate signing request (CSR) to authenticate.This is the simplest option and works well when the same challenge password is acceptable for all devices enrolling through the profile.
  • The challenge password must be at least 8 characters.
  • The password is hashed before storage and cannot be retrieved after creation.

Guide to Certificate Enrollment via SCEP

In the following steps, we walk through how to issue an X.509 certificate using the SCEP enrollment method.
1

Create a certificate profile with SCEP enrollment

Create a certificate profile with SCEP selected as the enrollment method and fill in the SCEP-specific configuration.Here’s some guidance on each SCEP-specific configuration field:
  • Challenge Type: Select Static for a shared password or Dynamic for one-time-use challenges generated via API. See Challenge Types above.
  • Challenge Password (static only): A shared secret that SCEP clients must include in their certificate signing request (CSR) to authenticate with Infisical’s SCEP server. Must be at least 8 characters.
  • Challenge Expiry (dynamic only): How long each generated challenge remains valid, in minutes.
  • Max Pending Challenges (dynamic only): Maximum number of unused challenges that can exist at once.
  • Include CA Cert in Response: When enabled, the CA certificate chain is included alongside the RA certificate in the GetCACert response. Most SCEP clients expect this to be enabled (default: enabled).
  • Allow Certificate-Based Renewal: When enabled, devices that already hold a valid certificate issued by the same CA can renew their certificate without providing the challenge password (default: enabled).
2

Obtain the SCEP endpoint URL

Once the certificate profile is created, you can obtain the SCEP endpoint URL from the certificate profile details page.The SCEP endpoint URL follows the structure:
https://app.infisical.com/scep/{profile_id}/pkiclient.exe
Where {profile_id} is the UUID of the certificate profile. This is the URL you provide to your SCEP clients as the SCEP server URL.For profiles with dynamic challenges enabled, you will also see a Challenge Endpoint URL:
https://app.infisical.com/scep/{profile_id}/challenge
This is the URL your MDM tool or automation calls to generate one-time challenge passwords.
3

Configure your SCEP client and enroll

Provide the SCEP endpoint URL and challenge password from the previous steps to your SCEP client.
Below is an example using sscep, an open-source SCEP client.1. Retrieve the CA/RA certificates:
sscep getca \
  -u https://app.infisical.com/scep/{profile_id}/pkiclient.exe \
  -c ca.pem
This writes the RA certificate to ca.pem-0 and the CA certificate to ca.pem-1 (when “Include CA Cert in Response” is enabled).2. Generate a device key and CSR with the challenge password:The challenge password must be embedded in the CSR as a PKCS#9 attribute. Create an OpenSSL config file to include it:
cat > device-csr.cnf << 'EOF'
[req]
default_bits = 2048
prompt = no
distinguished_name = dn
attributes = req_attributes

[dn]
CN = my-device.example.com

[req_attributes]
challengePassword = your-challenge-password
EOF

# Generate the key and CSR
openssl genrsa -out device.key 2048
openssl req -new -key device.key -out device.csr -config device-csr.cnf
3. Create a self-signed certificate for the sscep signing identity:sscep requires a local signing certificate to sign the SCEP request envelope:
openssl x509 -req -in device.csr -signkey device.key \
  -out device-selfsigned.pem -days 1
4. Enroll via SCEP:
sscep enroll \
  -u https://app.infisical.com/scep/{profile_id}/pkiclient.exe \
  -c ca.pem-0 \
  -k device.key \
  -r device.csr \
  -l device-cert.pem \
  -K device.key \
  -O device-selfsigned.pem \
  -E aes256 \
  -S sha256
On success, the issued certificate is written to device-cert.pem.
Flag reference for the enroll command:
  • -c ca.pem-0 is the RA certificate from step 1
  • -K / -O are the signing key and self-signed certificate used to sign the SCEP message envelope
  • -E aes256 selects AES-256-CBC encryption
  • -S sha256 selects SHA-256 for the message digest
SCEP uses CMS/PKCS#7 encrypted messages to protect the certificate request in transit. The challenge password is included inside the encrypted envelope and is never sent in plaintext over the network.
4

Renew a certificate via SCEP (optional)

If Allow Certificate-Based Renewal is enabled on the certificate profile, devices that already hold a valid certificate issued by the same CA can renew without the challenge password.The device signs the SCEP request with its existing issued certificate instead of a self-signed one. Using sscep:
# Generate a new CSR (no challenge password needed for renewal)
openssl req -new -key device.key -out device-renew.csr \
  -subj "/CN=my-device.example.com"

# Enroll using the issued certificate as the signing identity
sscep enroll \
  -u https://app.infisical.com/scep/{profile_id}/pkiclient.exe \
  -c ca.pem-0 \
  -k device.key \
  -r device-renew.csr \
  -l device-renewed.pem \
  -K device.key \
  -O device-cert.pem \
  -E aes256 \
  -S sha256
The key difference from the initial enrollment is -O device-cert.pem (the previously issued certificate) instead of -O device-selfsigned.pem. On success, the renewed certificate is written to device-renewed.pem.

Supported Algorithms

Infisical’s SCEP server supports the following algorithms for the CMS message exchange:
  • Encryption: AES-256-CBC, AES-128-CBC, 3DES-CBC (DES-EDE3-CBC)
  • Signing: SHA-256, SHA-384, SHA-512, SHA-1

FAQ

The RA (Registration Authority) certificate is automatically generated when you create a SCEP-enabled certificate profile. It is used to encrypt and sign the SCEP message exchange between the client and server. The RA certificate has a 10-year validity and is separate from your CA certificate.
Use static challenges for simple setups where a shared password is acceptable, such as network devices or test environments.Use dynamic challenges when integrating with MDM tools (Jamf Pro, Ivanti, Workspace ONE) that support fetching one-time challenges via webhook. Dynamic challenges provide stronger security since each challenge can only be used once and expires automatically.
Yes, if Allow Certificate-Based Renewal is enabled on the certificate profile. Devices that already hold a valid certificate issued by the same CA can submit a renewal request (RenewalReq) signed with their existing certificate, without needing the challenge password.
The server will reject the request with a 400 Bad Request error indicating the unsupported cipher OID. Configure your client to use AES-256-CBC (-E aes256 in sscep) for compatibility.