This section describes the actual certificate enrollment in detail. The process described here corresponds to step 7 to 10 in the overall process.

The enrollment request and the response from the CA that contains the req
  1. The client requests the CA's public certificate from the SCEP server.
  2. The SCEP server sends the CA's public certificate to the client.
  3. The client checks the CA's public certificate against the relevant fingerprint. The fingerprint has been provided by the administrator via a UMS profile; see Defining the Certification Authority.
  4. The client sends an enrollment request to the SCEP server. This enrollment request is an HTTP GET request that contains the following:

    Signed data PKCS7

    Enveloped data PKCS7

    Certificate Signing Request (PKCS 10)

    Version

    Hashing algorithm

       Signed (unencrypted) data:

    Version

    Recipient and related encrypted data encryption key; the recipient is the CA.

       Encrypted data:

    (encrypted with a randomly generated key that is encrypted with the recipient's public key)

    Version

    Requested subject name

    Public key of client

    Challenge password

    Requested extensions

    Signature algorithm

    Digital signature

    Client certificate

    Digital signature

  5. If the request was successful, the HTTP response from the SCEP server includes the following data:

    Signed data PKCS7

    Enveloped data PKCS7

    Degenerate Certificates (only PKCS7)

    Version

    Hashing algorithm

    Signed (unencrypted) data:

    Version

    List of recipients

    Encrypted data:

    Version

    Issued X.509 certificate

    CA certificate

    Digital signature