Public PKI CA with SCEP support

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public PKI CA with SCEP support

L2 Linker

I want to set up SCEP enrollment on the firewalls so I don't have to manually update each device cert every year.  Ideally I don't want to run my own Certificate management server internally.  Can anyone recommend a PKI CA that supports SCEP directly for managing and issuing certificates, I have had a good look round, and I seem to keep being steered towards various PKI systems to manage enterprise certs, which is not what I want.


I use Panorama to manage the devices, so ideally I would set up the SCEP enrollment with the device hostname and SANs as a template variable.  Hopefully the devices should then be able to auto renew.  Anyone managed to do this without an internal Cert management server?


L3 Networker

I do not think there is one, because basically that means you will be able to sign new certificates - public CAs will not allow that. Whole trust concept is based on the fact that they check the certificates they are signing. 

But creating your own PKI is not a rocket science - OpenSSL can do the trick.

L2 Linker

"creating your own PKI is not a rocket science" no but it is effort and another system that then needs to be managed and maintained.  Internal Cert management systems still receives SCEP requests and forwards the CSR to external third parties to sign, so I see no reason why this couldn't be done directly, and managed through their portal in the same way.  The CA would still get paid for the new cert issuance in either case, it just reduces the management overhead of having to manually update the certs and keys.  The entire purpose of SCEP is to allow you to set up a system that is capable of auto requesting a renewal for a device that has already been authenticated and can be identified by it's initial PSK or currently active certificate.

L2 Linker

Maybe I should ask the question in a different way.  Who is using SCEP for public facing certificate renewal, and what is the work flow for the host initial setup and authentication, Key Generation, CSR and Cert?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!