smallstep · tashian · Apr 2, 2025 · Mar 27, 2025
@@ -1,4 +1,5 @@
 ---
+updated_at: March 27, 2025
 title: "`step-ca` server"
 html_title: step-ca open source server
 description: Learn about step-ca
@@ -99,12 +100,13 @@ Here are some limitations of `step-ca` that grew out of [our design choices](../
 - It issues X.509 certificates from a single configured Intermediate CA; multiple issuing CAs are not supported
 - Its root CA is always offline; a single-tier PKI is not supported
 - Issuance policies are authority-wide
-- There are known [ACME concurrency limits](https://github.com/smallstep/certificates/issues/341) for high-availability CAs
+- Known [ACME concurrency limits](https://github.com/smallstep/certificates/issues/341) for high-availability CAs
 - Very limited options for active revocation (CRL, OCSP)
 - Very limited options for legacy CA protocols
 - Very limited options for device attestation
 - No integration with Certificate Transparency (CT) logs
 - No support for certificate issuance history or metrics
+- No dynamic SCEP support (eg. for Intune or Jamf)
 - No support for ACME External Account Binding (EAB)
 
 If your use case demands these features, you should [talk to us](https://go.smallstep.com/request-demo) because you may be better served by our [commercial product](https://smallstep.com/product/).

@@ -1,4 +1,5 @@
 ---
+updated_at: March 27, 2025
 title: Configuring `step-ca` Provisioners
 html_title: Configuring open source step-ca Provisioners
 description: Learn how to configure step-ca Provisioners
@@ -1251,6 +1252,10 @@ It runs over HTTP using POSTed binary data or base64-encoded GET parameters,
 using CMS (PKCS#7) and CSR (PKCS#10) data formats. 
 A (shared) secret authenticates clients to the CA.
 
+The SCEP provisioner does not support "dynamic SCEP" workflows with single-use secrets,
+such as Intune or Jamf.
+Our [commercial platform](https://smallstep.com) adds these workflows.
+
 #### Requirements
 
 Your CA must use an RSA intermediate CA, even if your client supports ECDSA.