Prisma SD-WAN provides a Simple Certificate Enrollment Protocol (SCEP) to use the
external root or sub-CA for certificate signing, renewal, and revocation
purposes.
| Where Can I Use This? | What Do I Need? |
|---|
Prisma SD-WAN provides an ability to integrate with enterprise digital
certificate management systems using Simple Certificate Enrollment Protocol (SCEP).
The ION device Certificate Operation using SCEP Integration:
- The ION device establishes a TLS connection with the controller using MIC
(Manufacturing Installed Certificate). The controller establishes a SCEP session
with the Customer PKI Server using SCEP. When a claim request is made from the
portal, the device generates a CSR and securely sends it to the controller over
the TLS session.
- Prisma SD-WAN Controller forwards this CSR to the customer PKI server across the
SCEP session.
- The SCEP server signs the CSR, issues the certificate, and then sends it back to
the controller. The controller sends the customer-issued Certificate (CIC) to
the ION device. The device installs the CIC. At this point, the ION device
terminates the existing connection and re-establishes a new TLS connection using
CIC. After the new connection is established, the network administrator can
proceed with policy and other relevant configurations for the device to become
part of the network.
Prisma SD-WAN provides a Simple Certificate Enrollment Protocol (SCEP) to use the
external root or sub-CA for certificate signing, renewal, and revocation purposes.
For certificate information, go to Claim Certificate
to see the Status, Issue Date, Expiration Date, Renewal Status, and Issuer
information of the claimed device. To trigger the renewal process of the
certificate, select the Trigger CIC Renewal link.
