https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450411#M2187 <P>Maybe I should ask the question in a different way.&nbsp; Who is using SCEP for public facing certificate renewal, and what is the work flow for the host initial setup and authentication, Key Generation, CSR and Cert?</P> Tue, 30 Nov 2021 15:17:50 GMT Rich.H 2021-11-30T15:17:50Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450396#M2184 <P>I want to set up SCEP enrollment on the firewalls so I don't have to manually update each device cert every year.&nbsp; Ideally I don't want to run my own Certificate management server internally.&nbsp; Can anyone recommend a PKI CA that supports SCEP directly for managing and issuing certificates, I have had a good look round, and I seem to keep being steered towards various PKI systems to manage enterprise certs, which is not what I want.</P><P>&nbsp;</P><P>I use Panorama to manage the devices, so ideally I would set up the SCEP enrollment with the device hostname and SANs as a template variable.&nbsp; Hopefully the devices should then be able to auto renew.&nbsp; Anyone managed to do this without an internal Cert management server?</P> Tue, 30 Nov 2021 14:18:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450396#M2184 Rich.H 2021-11-30T14:18:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450403#M2185 <P>I do not think there is one, because basically that means you will be able to sign new certificates - public CAs will not allow that. Whole trust concept is based on the fact that they check the certificates they are signing.&nbsp;</P><P>But creating your own PKI is not a rocket science - OpenSSL can do the trick.</P> Tue, 30 Nov 2021 15:00:26 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450403#M2185 nikoo 2021-11-30T15:00:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450408#M2186 <P>"creating your own PKI is not a rocket science" no but it is effort and another system that then needs to be managed and maintained.&nbsp; Internal Cert management systems still receives SCEP requests and forwards the CSR to external third parties to sign, so I see no reason why this couldn't be done directly, and managed through their portal in the same way.&nbsp; The CA would still get paid for the new cert issuance in either case, it just reduces the management overhead of having to manually update the certs and keys.&nbsp; The entire purpose of SCEP is to allow you to set up a system that is capable of auto requesting a renewal for a device that has already been authenticated and can be identified by it's initial PSK or currently active certificate.</P> Tue, 30 Nov 2021 15:07:47 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450408#M2186 Rich.H 2021-11-30T15:07:47Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450411#M2187 <P>Maybe I should ask the question in a different way.&nbsp; Who is using SCEP for public facing certificate renewal, and what is the work flow for the host initial setup and authentication, Key Generation, CSR and Cert?</P> Tue, 30 Nov 2021 15:17:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/public-pki-ca-with-scep-support/m-p/450411#M2187 Rich.H 2021-11-30T15:17:50Z