scep is a Simple Certificate Enrollment Protocol server and client.

go install github.com/micromdm/scep/v2/cmd/scepclient@latest
go install github.com/micromdm/scep/v2/cmd/scepserver@latest

Binary releases are available on the releases page.

To compile the SCEP client and server you will need a Go compiler as well as standard tools like git, etc.

git clone https://github.com/micromdm/scep.git
cd scep
go build -o scepclient ./cmd/scepclient/
go build -o scepserver ./cmd/scepserver/

git clone https://github.com/micromdm/scep.git
cd scep
docker build -t micromdm/scep:latest .

The scepserver provides one HTTP endpoint, /scep, that facilitates the normal PKIOperation/Message parameters.

In order to do so it needs a CA key and certificate. They're stored in a directory called depot. -depot must be the path to a folder with ca.pem and ca.key files.

If you don't already have a CA to use, you can create one using the ca subcommand: ./scepserver ca -init, or with Docker docker run --rm -it -v ./secp-depot:/depot micromdm/scep:latest ca -init.

In order to start the server manually:

./scepserver -depot secp-depot -challenge=secret

If you want to use Docker instead:

docker run -it --rm -v ./secp-depot:/depot -p 8080:8080 micromdm/scep:latest

If you want to use Docker compose:

version: "3.9"
services:
  scep:
    image: micromdm/scep:latest
    ports:
      - "8080:8080"
    volumes:
      - ./secp-depot:/depot
    command: -depot /depot -challenge=secret

The -csrverifierexec switch to the scepserver allows for executing a command before a certificate is issued to verify the submitted CSR. Scripts exiting without errors (zero exit status) will proceed to certificate issuance, otherwise a SCEP error is generated to the client. For example if you wanted to just save the CSR this is a valid CSR verifier shell script:

#!/bin/sh

cat - >> /tmp/scep.csr

Note: you only need one of this.

# SCEP request:
# Note: if the client.key doesn't exist, the client will create a new rsa private key.
# Note: client.key must be in PEM format.
./scepclient -private-key client.key -server-url=http://127.0.0.1:8080/scep -challenge=secret

# NDES request:
# Note: this should point to an NDES server, scepserver does not provide NDES.
./scepclient -private-key client.key -server-url=https://scep.example.com:4321/certsrv/mscep/ -ca-fingerprint="e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"

Note: Make sure to specify the desired endpoint in your -server-url value (e.g. 'http://scep.groob.io:8080/scep')

To obtain a certificate through Network Device Enrollment Service (NDES), set -server-url to a server that provides NDES. This most likely uses the /certsrv/mscep path. You will need to add the -ca-fingerprint client argument during this request to specify which CA to use.

If you're not sure which SHA-256 hash (for a specific CA) to use, you can use the -debug flag to print them out for the CAs returned from the SCEP server.

In order to use scepclient from Docker image you need to override it's entrypoint. Other arguments are passed as in the server command (this is with no binary name).

Remember to add a volume if you're working with files!

docker run -it --rm --volume ./client.key:/client.key --entrypoint=scepclient micromdm/scep:latest -private-key /client.key -server-url=http://127.0.0.1:8080/scep -challenge=secret

The core scep library can be used for both client and server operations.

go get github.com/micromdm/scep/scep

For detailed usage, see the Go Reference.

// read a request body containing SCEP message
body, err := ioutil.ReadAll(r.Body)
if err != nil {
    // handle err
}

// parse the SCEP message
msg, err := scep.ParsePKIMessage(body)
if err != nil {
    // handle err
}

// do something with msg
fmt.Println(msg.MessageType)

// extract encrypted pkiEnvelope
err := msg.DecryptPKIEnvelope(CAcert, CAkey)
if err != nil {
    // handle err
}

// use the CSR from decrypted PKCS request and sign
// MyCSRSigner returns an *x509.Certificate here
crt, err := MyCSRSigner(msg.CSRReqMessage.CSR)
if err != nil {
    // handle err
}

// create a CertRep message from the original
certRep, err := msg.Success(CAcert, CAkey, crt)
if err != nil {
    // handle err
}

// send response back
// w is a http.ResponseWriter
w.Write(certRep.Raw)

You can import the scep endpoint into another Go project. For an example take a look at scepserver.go.

The SCEP server includes a built-in CA/certificate store. This is facilitated by the Depot and CSRSigner Go interfaces. This certificate storage to happen however you want. It also allows for swapping out the entire CA signer altogether or even using SCEP as a proxy for certificates.