I want to set up SCEP enrollment on the firewalls so I don't have to manually update each device cert every year. Ideally I don't want to run my own Certificate management server internally. Can anyone recommend a PKI CA that supports SCEP directly for managing and issuing certificates, I have had a good look round, and I seem to keep being steered towards various PKI systems to manage enterprise certs, which is not what I want.
I use Panorama to manage the devices, so ideally I would set up the SCEP enrollment with the device hostname and SANs as a template variable. Hopefully the devices should then be able to auto renew. Anyone managed to do this without an internal Cert management server?
I do not think there is one, because basically that means you will be able to sign new certificates - public CAs will not allow that. Whole trust concept is based on the fact that they check the certificates they are signing.
But creating your own PKI is not a rocket science - OpenSSL can do the trick.
"creating your own PKI is not a rocket science" no but it is effort and another system that then needs to be managed and maintained. Internal Cert management systems still receives SCEP requests and forwards the CSR to external third parties to sign, so I see no reason why this couldn't be done directly, and managed through their portal in the same way. The CA would still get paid for the new cert issuance in either case, it just reduces the management overhead of having to manually update the certs and keys. The entire purpose of SCEP is to allow you to set up a system that is capable of auto requesting a renewal for a device that has already been authenticated and can be identified by it's initial PSK or currently active certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!