Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services

Language:
English
The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on the Windows Server 2003 family. It provides support for the SCEP protocol which allows Cisco routers and other intermediate network devices to obtain certificates.
  • Version:

    5.131.3790.1053

    File Name:

    cepsetup.exe

    Date Published:

    8/24/2012

    File Size:

    171 KB

      The Simple Certificate Enrollment Protocol (SCEP) Add-on for Certificate Services runs on Windows Server 2003 family. It provides support for the SCEP protocol which allows Cisco routers and other intermediate network devices to obtain certificates.This update addresses the following issue:
      • Added support for clients that do not supply the Key Usage in the PKCS#10 request to the certificate authority (CA). This update will allow the CA to accept a request where no Key Usage is specified in the request. The CA will include the proper Key Usage automatically in the issued certificate.
  • Supported Operating System

    Windows Server 2003


      You can download and install the SCEP Add-on for Certificate Services on the following platforms:
      • Windows Server 2003, Standard Edition
      • Windows Server 2003, Enterprise Edition
      • Windows Server 2003, Datacenter Edition

      1. Click the Download link to start the download.
      2. In the File Download dialog box, select Save this program to disk.
      3. Select a location on your computer to save the file, and then click Save.
      4. In Windows Explorer, go to the location where you saved the downloaded file, double-click the file to start the installation process, and then follow the installation instructions.

    • Important notes before you start:
      • You must install the SCEP Add-on for Certificate Services on a certification authority (CA). Both enterprise CAs and stand-alone CAs are supported. You can install the SCEP Add-on for Certificate Services on a root or subordinate CA.
      • If you are using Cisco routers to enroll for certificates, they must be running Cisco IOS Release 12.2(6) or later.
      • When using a standalone CA, the CA should be in a separate certification hierarchy from all other CAs in your organization. This helps prevent any unintended trust of SCEP clients.
      • You must have proper administrative privileges to install the SCEP Add-on for Certificate Services. By default, you need to be a member of the Enterprise Administrators group and the root Domain Administrators group to install this add-on on an enterprise CA, or you need to be a member of the local computer's administrators group to install this add-on on a standalone CA.
      • The SCEP Add-on for Certificate Services cannot be installed on a CA that has any non-alphanumeric characters (&,*, :, ;, ', ", etc.) in its name.
      • The SCEP Add-on can either be configured to use the local system account or a user account to connect to the CA for certificate enrollment. When using a user account, the account must be a member of the IIS_WPG security group and have Read and Enroll permission for the IPSec (Offline request) certificate template. If the CA is an enterprise CA, the user account must be an Active Directory user account and must have additional configuration steps performed. For more information, see the documentation for the SCEP Add-on for Certificate Services located in the Windows Server 2003 Resource Kit documentation.
      • The CA that issues the SCEP certificate must publish its certificate revocation list (CRL) to an HTTP URL that the router can contact. The CRL location must be an HTTP location for the router to retrieve it and verify the revocation status of its certificate. In addition, the CRL location must be specified as a CRL Distribution Point (CDP) in the issued certificate for the router to locate it.
      • When using a standalone CA with SCEP as a separate certification hierarchy, the root CA's certificate and chain should not be trusted by other clients in the enterprise. In this configuration, the SCEP-oriented PKI is only intended for trust by intermediate network devices that use SCEP.