Client Enrollment Details

This section describes the actual certificate enrollment in detail. The process described here corresponds to step 7 to 10 in the overall process.

The enrollment request and the response from the CA that contains the req

1. The client requests the CA's public certificate from the SCEP server.
   

2. The SCEP server sends the CA's public certificate to the client.
   

3. The client checks the CA's public certificate against the relevant fingerprint. The fingerprint has been provided by the administrator via a UMS profile; see Defining the Certification Authority.
   

4. The client sends an enrollment request to the SCEP server. This enrollment request is an HTTP GET request that contains the following:

   Signed data PKCS7	Enveloped data PKCS7	Certificate Signing Request (PKCS 10)
   Version
   Hashing algorithm
   Signed (unencrypted) data:	Version
   Recipient and related encrypted data encryption key; the recipient is the CA.
   Encrypted data: (encrypted with a randomly generated key that is encrypted with the recipient's public key)	Version
   Requested subject name
   Public key of client
   Challenge password
   Requested extensions
   Signature algorithm
   Digital signature
   Client certificate
   Digital signature

5. If the request was successful, the HTTP response from the SCEP server includes the following data:

   Signed data PKCS7	Enveloped data PKCS7	Degenerate Certificates (only PKCS7)
   Version
   Hashing algorithm
   Signed (unencrypted) data:	Version
   List of recipients
   Encrypted data:	Version
   Issued X.509 certificate
   CA certificate
   Digital signature