EST compared to SCEP, CMC and CMP
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners.
The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
© 2016 Cisco Systems, Inc. All rights reserved.
EST provides cryptographic agility. It supports elliptic curve cryptography (ECC) and secure cryptographic
algorithms to come. ECC is used in government mandates around the world. It is computationally more
efficient, which benefits resource-constrained devices. SCEP doesn’t support ECC because the PKCS 7
methods that it uses to protect data depend on RSA encryption. As stated in the recently submitted SCEP
draft: “The message types, being based on CMS and PKCS #10, fully support algorithm agility but the
requester has to use a key type that is supported by the server. Specifically, they must employ a PKC
algorithm capable of both encryption and signing. RSA is the only widely-used algorithm that has these
properties.” Updating the algorithms to CMS and getting sufficient alignment with CMC to take advantage
of the new work in this area would require as much effort as just moving to EST and wouldn’t track with
any of the standards work.
Automated certificate re-enrollment or renewal is important. EST was built to support automatic re-
enrollment. Even though the recently submitted SCEP draft includes renewal messages, that was not the
case in the previous submission, nor were such messages commonly deployed in SCEP implementations.
EST can support server-side key generation with an enrollment request. SCEP supports only the private key
being generated at the client. Server-side key generation can be important in resource PKI (RPKI)
environments or constrained devices that do not have enough power and entropy source to generate a
random private key.
EST was a joint standards effort that included vendors and the standards community. It received wide
community scrutiny in its development phase in IETF. There is an open-source implementation of EST for
vendors and private parties to adopt and experiment with. SCEP was developed in the 1990s, and even
though it is widely used, it failed the vetting process in IETF that EST went through.
EST offers CA rollover functionality for refreshing the trust anchors by using three certificates in a transition
period. The transition period provides a path where all PKI entities can be rolled to the new CA root of trust
incrementally without affecting communications between entities. SCEP requires a “flag day” for CA
certificate updates. Operators cannot be sure if things will work until the flag day, because there is no
transition period. Additionally, CA certificate updates are done using GetNextCACert messages. No request
data is associated with this message, so the update is triggered by the CA, making CA rollover less flexible
and less automated.
EST does not provide a mechanism to retrieve a certificate’s revocation status. SCEP defines a certificate
revocation list (CRL) retrieval message so that endpoints can receive the revocation status of a specific
certificate. CRL distribution points (CDPs) can also be retrieved from the certificates themselves. But even
though CRL retrieval might be useful in some cases, certificate revocation goes beyond certificate
provisioning or retrieving CRLs. Other options for revocation are the Online Certificate Status Protocol
(OCSP) and OCSP stapling. CRLs were recently deprecated by Firefox in favor of OCSP. Moreover, if a CA
doesn’t use OCSP, it needs to break the CRL into multiple individual files. The SCEP method of requesting
the CRL doesn’t include this information, and thus a SCEP server either needs significant detailed
information of the PKI CRL structures or needs the CA to use a non-scalable flat file for the single CRL. That
is an important limitation.
In terms of security risk specifically, it is worth pointing out the following:
In EST the certificate signing request (CSR) can be tied to a requestor that is already trusted and
authenticated with TLS. The certificate is provided only to the entity requesting it, which owns the private
key or username and password (proof of possession, or PoP). In other words, when PoP is enforced, clients
cannot get a certificate for anyone but themselves. In SCEP the CSR is authenticated using a shared secret