>
    Strata Copilot
    Configure Simple Certificate Enrollment Protocol
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Understand Installation Workflow
    4. Configure Simple Certificate Enrollment Protocol
    Download PDF
    Prisma SD-WAN

    Configure Simple Certificate Enrollment Protocol

    Table of Contents

    Configure Simple Certificate Enrollment Protocol

    Prisma SD-WAN provides a Simple Certificate Enrollment Protocol (SCEP) to use the external root or sub-CA for certificate signing, renewal, and revocation purposes.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Prisma SD-WAN
    Prisma SD-WAN provides an ability to integrate with enterprise digital certificate management systems using Simple Certificate Enrollment Protocol (SCEP).
    The ION device Certificate Operation using SCEP Integration:
    1. The ION device establishes a TLS connection with the controller using MIC (Manufacturing Installed Certificate). The controller establishes a SCEP session with the Customer PKI Server using SCEP. When a claim request is made from the portal, the device generates a CSR and securely sends it to the controller over the TLS session.
    2. Prisma SD-WAN Controller forwards this CSR to the customer PKI server across the SCEP session.
    3. The SCEP server signs the CSR, issues the certificate, and then sends it back to the controller. The controller sends the customer-issued Certificate (CIC) to the ION device. The device installs the CIC. At this point, the ION device terminates the existing connection and re-establishes a new TLS connection using CIC. After the new connection is established, the network administrator can proceed with policy and other relevant configurations for the device to become part of the network.
    Prisma SD-WAN provides a Simple Certificate Enrollment Protocol (SCEP) to use the external root or sub-CA for certificate signing, renewal, and revocation purposes.
    • Sign—After getting a challenge password (OTP) from the SCEP server, the SCEP plug-in forwards the CSR to enroll to the SCEP server. The signed certificate returns to the device as an X509 certificate stored locally.
    • Renew—Certificates are valid for one year (set by the CA; this value is not configurable in the UI). The renewal window (30 to 90 days) controls how far in advance of the certificate's expiry date the renewal is automatically triggered. You must renew the certificate before the expiry time. The renewal of the certificate is triggered in advance before the certificate expires.
      The CSR for renewal must originate from the device. The renewal request is treated like an enrollment request and sent to the SCEP server for signing. A signed certificate is sent back to the device and replaced with a newly signed certificate in the trust store.
    • Revoke—SCEP does not support online (real-time) certificate revocation. Revocation must be performed offline by the CA administrator:
      1. The CA administrator revokes the certificate on the external CA (for example, using the CA management console or CRL update).
      2. The CA publishes an updated Certificate Revocation List (CRL).
      3. The controller synchronizes the revocation status from the CA. The device is marked as unclaimed or retired in the controller once the revocation is propagated.
      4. Verify that the revocation has propagated by checking the device status in the Administrator console under Claim Certificate.
    For certificate information, go to Claim Certificate to see the Status, Issue Date, Expiration Date, Renewal Status, and Issuer information of the claimed device. To trigger the renewal process of the certificate, select the Trigger CIC Renewal link.
    1. From the Prisma SD-WAN web interface, navigate to Users System Administration Certificate Authorityto display the Certificate Authority widget.
    2. Select Local for the local certificate and Submit your changes.
      The Certificate Signing (timeout) period range (10 to 300) and Certificate Renewal (expiration window (30 to 90) and wait time (5 to 1440)) fields are populated with the default values. Make sure that the displayed values are tied to your Certificate.
      Certificates are valid for one year (set by the CA). The renewal window (30–90 days) controls how far in advance of expiry the renewal is triggered.
    3. Select SCEP for the SCEP certificate.
      1. For SCEP configurations, import the certificate file from the trusted server.
      2. Enter the Server IP, Server Username, and Server Password to log in.
      3. Provide Max Concurrent Challenge Passwords (1 to 20), Challenge Passwords URI to get the SCEP server’s challenge password.
      4. Add the SCEP server’s challenge password in Enrollment Site URI to import the SCEP certificate file from the trusted database.
      5. Enable the Use of an HTTPS connection? checkbox to enforce HTTPS for all SCEP communications. This setting is required for production deployments.
        Using SCEP over HTTP transmits the challenge password (one-time password) and certificate data in cleartext over the network. An attacker with network visibility can intercept these credentials and impersonate devices. Do not leave this checkbox unchecked in any deployment.
      6. Submit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.