Every organization today works with thousands of digital certificates to authenticate and secure users, devices, applications, and services as well as to encrypt transactions. Considering the enormous volume of digital certificates and their varying lifespans, it is not practical to manually enroll, provision or renew every certificate, as this can become an endless cycle of repetitive effort and wasted time.
On March 3, 2023, Google announced a proposal to reduce the maximum validity period for public TLS certificates from 398 days to 90 days. The move is intended to promote automation, agility, and encourage organizations to move away from “baroque, time-consuming, and error-prone issuance processes.” Google also suggested limiting the domain validation reuse period to 90 days.
When Google rolls out this change, all public TLS certificates will have to be renewed not once but four times a year. Under these circumstances, a manual approach to renewals, enrollment and provisioning, involving several steps, becomes inconceivable. Managing the short-lived certificate lifecycle process becomes even more labor intensive and can result in delays and provisioning errors, amplifying the risk of outages, security weaknesses, data breaches, and compliance violations. The need for certificate lifecycle automation is becoming imperative, especially with Google promoting industry-wide changes to increase speed, security, stability, and simplicity within the PKI ecosystem. This is where certificate auto-enrollment plays a crucial role.
Read more about Google’s Proposal, what this change could mean for your organization, and how you should prepare in our exclusive blog here.
Before we dive into certificate auto-enrollment, let’s understand what it is.
What is Certificate Enrollment?
Certificate enrollment is the process of getting a PKI certificate issued by a public or private Certificate Authority (CA) and provisioning it to the required endpoint. The process typically involves the following steps:
- Generating the key pair (one public and one private key)
- Generating the Certificate Signing Request (CSR) using the public key
- Submitting the CSR to the registered CA along with the public key for certificate issuance
- Domain Control Validation to prove the requester has control over the domain
- Receiving the certificate from the CA and provisioning it to the endpoint
Save Your Business from Certificate Expiry-Related Outages Now!
Common Challenges with Certificate Enrollment
As mentioned earlier, organizations today require a massive volume of digital certificates to secure their infrastructure. Manually enrolling thousands of certificates becomes a complex challenge as it involves multiple personnel soldiering through several steps to complete enrollment, such as key generation, request submission, and provisioning or endpoint binding. Additionally, this process has to be repeated over and over again since certificates have a finite lifespan and must be renewed. The ongoing enrollment process becomes long and inefficient, impacting productivity and security.
Further, IT teams generally monitor and manage digital certificates through spreadsheets and ad hoc tracking tools. With thousands of certificates to track, manual monitoring can easily lead to expired certificates causing outages and security weaknesses.
The good news is there’s a proven way to overcome this challenge: certificate auto-enrollment.
What is Certificate Auto-Enrollment, and How Does it Help?
Certificate auto-enrollment is an approach that enables systems and applications to automatically enroll for certificates on their own without any user intervention. All enrollment steps, such as CSR generation, domain ownership verification, certificate download, and provisioning, are automated to make the process efficient, scalable, and secure.
Eliminating user intervention minimizes the threat of expired certificates, human error, outages, and security compromises. Automating enrollment also improves user productivity by freeing up time for IT resources, who are otherwise caught up in the perpetuity of getting certificates issued and provisioning them.
How Certificate Auto-Enrollment Works?
- The auto-enrollment client sends a certificate request to the auto-enrollment server.
- The server validates the information provided in the request to check its authenticity.
- The auto-enrollment server then submits the request to the Certificate Authority (CA).
- The CA processes the request, verifies the domain owner, and issues the certificate to the auto-enrollment server. The server then sends the certificate to the client.
- On receiving the certificate, the client provisions the certificate to the required device.
What are Auto-Enrollment Protocols?
Auto-enrollment protocols are tools that enable the automation of certificate enrollment. These communication protocols facilitate communication between a client and the certificate authority.
There are various auto-enrollment protocols used today in different environments. In this blog post, we will look at the most commonly used auto-enrollment protocols.
1. SCEP (Simple Certificate Enrollment Protocol)
Simple Certificate Enrollment Protocol (SCEP) is an open-source certificate management protocol that enables the automated issuance of certificates to large numbers of network devices. SCEP-enabled devices can easily enroll for certificates using an SCEP Gateway API URL and a shared secret (the password used to communicate with the CA).
SCEP is the oldest among the lot and is widely used for lightweight applications such as device enrollment. It is often used with EMM (Enterprise Mobility Management) or MDM (Mobile Device Management) platforms to provision certificates to managed mobile devices. MDM systems like Microsoft Intune, JAMF, and Mobileiron use SCEP for enrolling certificates for the increasing number of smartphones and mobile devices.
The primary characteristics of SCEP are:
- SCEP transports messages over HTTP and requires messages to be enveloped in PkcsPKIEnvelope.
- SCEP only supports RSA keys making the encryption process a little complex
- Requires the use of a ‘challenge password’ within the certificate signing request (CSR), which is shared only between the server and the requester
- Being a lightweight protocol, SCEP does not support certificate revocation online and has limited Certificate Revocation List (CRL) retrieval support.
2. EST (Enrollment over Secure Transport) Protocol
EST is considered an updated version of SCEP, hence, more secure and evolved than its predecessor. The protocol has been defined in RFC 7030 (ratified in 2013) and comes highly recommended by IETF as it delivers several advantages for today’s complex PKI environments that SCEP doesn’t. It is usually the preferred choice for IoT applications.
Advantages of EST over SCEP:
- EST relies on TLS for authentication and secure transmission of messages and certificates. This removes the need for encrypting messages using a shared secret (as in the case of SCEP), making EST inherently more secure than SCEP.
- While SCEP uses a shared secret to authenticate the CSR, EST uses a client certificate issued by a trusted certificate authority for authentication.
- Unlike SCEP, EST supports advanced cryptographic algorithms, such as ECC and ECDSA. EST’s ability to support more cryptographic algorithms makes it computationally more efficient, which favors devices with limited resources.
- While renewal is an integral part of EST, in SCEP, it is rather an addition. Existing SCEP implementations necessitate considerable upgrades to administration systems to support automated certificate renewal.
- SCEP supports private key generation only on the client side, whereas EST supports the private key generation on the server side as well with an enrollment request.
3. ACME (Automated Certificate Management Environment) Protocol
ACME is considered one of the best auto-enrollment protocols for issuing TLS certificates. Focused on automation, ACME leverages an open-source agent to automate the certificate enrollment process end-to-end, from key pair generation to provisioning and renewals.
It was primarily used by the popular public CA, Let’s Encrypt, as a part of their business model for issuing 90-day Domain Validated (DV) certificates and automating their periodic renewals. However, various other CAs, PKI vendors, and browsers are now beginning to support ACME to work with other kinds of certificates, including Organization Validated (OV) / Extended Validated (EV) certificates, as well as, S/MIME and code-signing. Although to leverage them, the CA should be able to access the DNS/HTTPS name that is published.
One of the significant benefits of using ACME is its ability to automate Domain Validation Control and provide proof of identity (ownership of a specific DNS name) without any manual interaction or verification needed from the requestor or CA. This makes continuous certificate enrollment and renewals a seamless process.
Other benefits of ACME include:
- Heightened Security: The protocol facilitates the use of short-lived certificates, shrinking the replacement cycle and thus enhancing security.
- CA and Certificate Agility: With more commercial CAs supporting ACME, users can rapidly switch to a different CA or reissue certificates in the event of a compromise. The ACME agent can even replace and re-provision all old certificates with fresh ones from the new CA.
- Higher Ecosystem Quality: Developers can adhere to a uniform protocol instead of supporting varying program components using APIs.
- Cost Savings: The protocol is open-source and free to use.
Popular ACME Agents Certbot, GetSSL, Posh-ACME, Caddy, ACMESharp, and Nginx ACME, among others.
If you would like to know more about the ACME protocol, listen to our webinar: How the ACME Protocol is Transforming Certificate Management.
4. Windows Auto-Enrollment Protocol
Microsoft also provides certificate auto-enrollment as a service within its Active Directory Certificate Services (ADCS). Enabled by Group Policy (GPO), the service allows Windows clients and servers within a Microsoft domain to automatically enroll and renew certificates from Microsoft CA without user intervention.
Once the Group Policy is created, Microsoft clients connect to a configured Certificate Enrollment Policy Server (CEP), which initially invokes a set of Certificate Enrollment Policies that permit the client to get the necessary certificates.
The client then sends a request for those certificates to Microsoft CA Microsoft Enterprise Certificate Server, which issues the requested certificates to the client. The entire process is fully automated and does not require any user intervention.
However, the challenge with using Microsoft auto-enrollment is that it can only be used for Windows endpoints and the auto-enrollment configurations must be replicated for every domain. Further, using windows auto-enrollment alone can be difficult to scale given enterprises today have hundreds of domains as well as many non-windows based endpoints.
Network Device Enrollment Service (NDES) is an auto-enrollment protocol used by Microsoft to issue certificates to its network devices. It is Microsoft’s implementation of the SCEP protocol and enables the software running on routers and switches to enroll for x.509 certificates without any domain credentials, as these devices cannot be authenticated otherwise.
Read the blog to understand why you must replace your Microsoft CA with PKI-as-as-service.
AppViewX’s Support for Auto-Enrollment Protocols
AppViewX CERT+ is a ready-to-consume, scalable certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, and automate the complete certificate lifecycle, all through a central console.
AppViewX CERT+ enables certificate auto-enrollment by automating all the steps involved, including CSR generation, domain ownership verification, certificate download, and provisioning, making the process efficient, scalable, and secure. AppViewX CERT+ supports all major auto-enrollment protocols including – ACME, EST, SCEP, Native Windows Auto-enrollment, and Microsoft Intune. Automating certificate enrollment reduces human error, outages, and security compromises, while improving productivity.
Talk to an AppViewX expert today!
About the Author
Krupa Patil
Product Marketing Manager
A content creator focused on providing readers and prospective buyers with accurate, useful, and latest product information to help them make better informed decisions.
