Enrollment Methods
Last updated
Was this helpful?
Last updated
Was this helpful?
The core challenge when enrolling certificates is how to authenticate the device or user requesting the certificate. With the certificate, the CA confirms that the certificate owner has specific properties and that it has checked their authenticity.
Therefore, one core property of certificate enrollment protocols is how they authenticate the certificate requester. Depending on what the certificate is used for, one or the other protocol is more advantageous.
One additional important property is its practical adoption. The enrollment method or protocol must be supported by both the CA and on the client side for the intended use case.
The most popular enrollment protocols are:
ACME
EST
Microsoft's SOAP
Manual enrollment on the CA's web page
Other proprietary protocols
Microsoft proprietary DCOM and RPC
WS-Trust Enrollment Extension
SOAP Enrollment
Automatic Certificate Management Environment
(ACME)
Simple Certificate Enrollment Protocol (SCEP)
Enrollment over Secure Transport (EST)
Specifications
Microsoft OpenSpec1
Microsoft OpenSpec2
RFC 8555
Informal, now RFC 8894
RFC 7030 (+ …)
Implementation
Server side: Active Directory CS Client side: Windows
Server side: ADCS, others? Client side: Windows
Server side: Let’s Encrypt Client side: Many
Many server and client implementations
Poor adoption
Authentication
AD Authentication
AD Authentication* (formally, username/password might not be in AD)
DNS Authentication
“SCEP Challenge”
CBA or HTTP Basic/Digest Authentication