Skip to content

Commit f080d14

Browse files
tashiantashian
authored
Merge pull request #400 from smallstep/carl/scep-clarificatoin
Clarify limits of SCEP provisioner
2 parents 53bd262 + f7fe252 commit f080d14

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

step-ca/README.mdx

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
---
2+
updated_at: March 27, 2025
23
title: "`step-ca` server"
34
html_title: step-ca open source server
45
description: Learn about step-ca
@@ -99,12 +100,13 @@ Here are some limitations of `step-ca` that grew out of [our design choices](../
99100
- It issues X.509 certificates from a single configured Intermediate CA; multiple issuing CAs are not supported
100101
- Its root CA is always offline; a single-tier PKI is not supported
101102
- Issuance policies are authority-wide
102-
- There are known [ACME concurrency limits](https://github.com/smallstep/certificates/issues/341) for high-availability CAs
103+
- Known [ACME concurrency limits](https://github.com/smallstep/certificates/issues/341) for high-availability CAs
103104
- Very limited options for active revocation (CRL, OCSP)
104105
- Very limited options for legacy CA protocols
105106
- Very limited options for device attestation
106107
- No integration with Certificate Transparency (CT) logs
107108
- No support for certificate issuance history or metrics
109+
- No dynamic SCEP support (eg. for Intune or Jamf)
108110
- No support for ACME External Account Binding (EAB)
109111

110112
If your use case demands these features, you should [talk to us](https://go.smallstep.com/request-demo) because you may be better served by our [commercial product](https://smallstep.com/product/).

step-ca/provisioners.mdx

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
---
2+
updated_at: March 27, 2025
23
title: Configuring `step-ca` Provisioners
34
html_title: Configuring open source step-ca Provisioners
45
description: Learn how to configure step-ca Provisioners
@@ -1251,6 +1252,10 @@ It runs over HTTP using POSTed binary data or base64-encoded GET parameters,
12511252
using CMS (PKCS#7) and CSR (PKCS#10) data formats.
12521253
A (shared) secret authenticates clients to the CA.
12531254

1255+
The SCEP provisioner does not support "dynamic SCEP" workflows with single-use secrets,
1256+
such as Intune or Jamf.
1257+
Our [commercial platform](https://smallstep.com) adds these workflows.
1258+
12541259
#### Requirements
12551260

12561261
Your CA must use an RSA intermediate CA, even if your client supports ECDSA.

0 commit comments

Comments
 (0)