diff --git a/step-ca/README.mdx b/step-ca/README.mdx index 6aaf2a95..5b486353 100644 --- a/step-ca/README.mdx +++ b/step-ca/README.mdx @@ -1,4 +1,5 @@ --- +updated_at: March 27, 2025 title: "`step-ca` server" html_title: step-ca open source server description: Learn about step-ca @@ -99,12 +100,13 @@ Here are some limitations of `step-ca` that grew out of [our design choices](../ - It issues X.509 certificates from a single configured Intermediate CA; multiple issuing CAs are not supported - Its root CA is always offline; a single-tier PKI is not supported - Issuance policies are authority-wide -- There are known [ACME concurrency limits](https://github.com/smallstep/certificates/issues/341) for high-availability CAs +- Known [ACME concurrency limits](https://github.com/smallstep/certificates/issues/341) for high-availability CAs - Very limited options for active revocation (CRL, OCSP) - Very limited options for legacy CA protocols - Very limited options for device attestation - No integration with Certificate Transparency (CT) logs - No support for certificate issuance history or metrics +- No dynamic SCEP support (eg. for Intune or Jamf) - No support for ACME External Account Binding (EAB) If your use case demands these features, you should [talk to us](https://go.smallstep.com/request-demo) because you may be better served by our [commercial product](https://smallstep.com/product/). diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx index fb10005c..343f48d2 100644 --- a/step-ca/provisioners.mdx +++ b/step-ca/provisioners.mdx @@ -1,4 +1,5 @@ --- +updated_at: March 27, 2025 title: Configuring `step-ca` Provisioners html_title: Configuring open source step-ca Provisioners description: Learn how to configure step-ca Provisioners @@ -1251,6 +1252,10 @@ It runs over HTTP using POSTed binary data or base64-encoded GET parameters, using CMS (PKCS#7) and CSR (PKCS#10) data formats. A (shared) secret authenticates clients to the CA. +The SCEP provisioner does not support "dynamic SCEP" workflows with single-use secrets, +such as Intune or Jamf. +Our [commercial platform](https://smallstep.com) adds these workflows. + #### Requirements Your CA must use an RSA intermediate CA, even if your client supports ECDSA.