{"id":13582106,"url":"https://github.com/micromdm/scep","last_synced_at":"2025-04-29T18:45:10.851Z","repository":{"id":8856366,"uuid":"59963380","full_name":"micromdm/scep","owner":"micromdm","description":"Go SCEP server","archived":false,"fork":false,"pushed_at":"2025-04-28T22:09:14.000Z","size":305,"stargazers_count":344,"open_issues_count":32,"forks_count":133,"subscribers_count":25,"default_branch":"main","last_synced_at":"2025-04-28T23:27:27.560Z","etag":null,"topics":["crypto","golang","ndes","scep","scep-client","scep-server"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/micromdm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-05-29T20:53:09.000Z","updated_at":"2025-04-28T22:08:45.000Z","dependencies_parsed_at":"2023-12-01T06:25:10.783Z","dependency_job_id":"cac5605d-8f40-434e-a018-12cc31b19823","html_url":"https://github.com/micromdm/scep","commit_stats":{"total_commits":171,"total_committers":35,"mean_commits":4.885714285714286,"dds":0.6257309941520468,"last_synced_commit":"aa863fe13ac2d85ce4ac074cc259bf29b7798e9a"},"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromdm%2Fscep","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromdm%2Fscep/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromdm%2Fscep/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/micromdm%2Fscep/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/micromdm","download_url":"https://codeload.github.com/micromdm/scep/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251405392,"owners_count":21584261,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto","golang","ndes","scep","scep-client","scep-server"],"created_at":"2024-08-01T15:02:25.882Z","updated_at":"2025-04-29T18:45:10.830Z","avatar_url":"https://github.com/micromdm.png","language":"Go","funding_links":[],"categories":["Go","Tools"],"sub_categories":[],"readme":"# scep\n\n[![CI](https://github.com/micromdm/scep/workflows/CI/badge.svg)](https://github.com/micromdm/scep/actions)\n[![Go Reference](https://pkg.go.dev/badge/github.com/micromdm/scep/v2.svg)](https://pkg.go.dev/github.com/micromdm/scep/v2)\n\n`scep` is a Simple Certificate Enrollment Protocol server and client\n\n\u003e [!NOTE]\n\u003e The included SCEP server and CA are very basic and lack critical security-related features. You are encouraged to explore a more robust solution such as [github.com/smallstep/certificates](https://github.com/smallstep/certificates). As alluded to in our [blog post](https://micromdm.io/blog/scepping-stone/) this project's SCEP server will not likely be supported in the future.\n\n## Installation\n\nBinary releases are available on the [releases page](https://github.com/micromdm/scep/releases).\n\n### Compiling from source\n\nTo compile the SCEP client and server you will need [a Go compiler](https://golang.org/dl/) as well as standard tools like git, make, etc.\n\n1. Clone the repository and get into the source directory: `git clone https://github.com/micromdm/scep.git \u0026\u0026 cd scep`\n2. Compile the client and server binaries: `make` (for Windows: `make win`)\n\nThe binaries will be compiled in the current directory and named after the architecture. I.e. `scepclient-linux-amd64` and `scepserver-linux-amd64`.\n\n### Docker\n\nSee Docker documentation below.\n\n## Example setup\n\nMinimal example for both server and client.\n\n```\n# SERVER:\n# create a new CA\n./scepserver-linux-amd64 ca -init\n# start server\n./scepserver-linux-amd64 -depot depot -port 2016 -challenge=secret\n\n# SCEP request:\n# in a separate terminal window, run a client\n# note, if the client.key doesn't exist, the client will create a new rsa private key. Must be in PEM format.\n./scepclient-linux-amd64 -private-key client.key -server-url=http://127.0.0.1:2016/scep -challenge=secret\n\n# NDES request:\n# note, this should point to an NDES server, scepserver does not provide NDES.\n./scepclient-linux-amd64 -private-key client.key -server-url=https://scep.example.com:4321/certsrv/mscep/ -ca-fingerprint=\"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"\n```\n\n## Server Usage\n\nThe default flags configure and run the scep server.\n\n`-depot` must be the path to a folder with `ca.pem` and `ca.key` files. If you don't already have a CA to use, you can create one using the `ca` subcommand.\n\nThe scepserver provides one HTTP endpoint, `/scep`, that facilitates the normal PKIOperation/Message parameters.\n\nServer usage:\n```sh\n$ ./scepserver-linux-amd64 -help\n -allowrenew string\n \tdo not allow renewal until n days before expiry, set to 0 to always allow (default \"14\")\n -capass string\n \tpasswd for the ca.key\n -challenge string\n \tenforce a challenge password\n -crtvalid string\n \tvalidity for new client certificates in days (default \"365\")\n -csrverifierexec string\n \twill be passed the CSRs for verification\n -debug\n \tenable debug logging\n -depot string\n \tpath to ca folder (default \"depot\")\n -log-json\n \toutput JSON logs\n -port string\n \tport to listen on (default \"8080\")\n -version\n \tprints version information\nusage: scep [\u003ccommand\u003e] [\u003cargs\u003e]\n ca \u003cargs\u003e create/manage a CA\ntype \u003ccommand\u003e --help to see usage for each subcommand\n```\n\nUse the `ca -init` subcommand to create a new CA and private key.\n\nCA sub-command usage:\n```\n$ ./scepserver-linux-amd64 ca -help\nUsage of ca:\n -country string\n \tcountry for CA cert (default \"US\")\n -depot string\n \tpath to ca folder (default \"depot\")\n -init\n \tcreate a new CA\n -key-password string\n \tpassword to store rsa key\n -keySize int\n \trsa key size (default 4096)\n -common_name string\n common name (CN) for CA cert (default \"MICROMDM SCEP CA\")\n -organization string\n \torganization for CA cert (default \"scep-ca\")\n -organizational_unit string\n \torganizational unit (OU) for CA cert (default \"SCEP CA\")\n -years int\n \tdefault CA years (default 10)\n```\n\n### CSR verifier\n\nThe `-csrverifierexec` switch to the SCEP server allows for executing a command before a certificate is issued to verify the submitted CSR. Scripts exiting without errors (zero exit status) will proceed to certificate issuance, otherwise a SCEP error is generated to the client. For example if you wanted to just save the CSR this is a valid CSR verifier shell script:\n\n```sh\n#!/bin/sh\n\ncat - \u003e /tmp/scep.csr\n```\n\n## Client Usage\n\n```sh\n$ ./scepclient-linux-amd64 -help\nUsage of ./scepclient-linux-amd64:\n -ca-fingerprint string\n \tSHA-256 digest of CA certificate for NDES server. Note: Changed from MD5.\n -certificate string\n \tcertificate path, if there is no key, scepclient will create one\n -challenge string\n \tenforce a challenge password\n -cn string\n \tcommon name for certificate (default \"scepclient\")\n -country string\n \tcountry code in certificate (default \"US\")\n -debug\n \tenable debug logging\n -keySize int\n \trsa key size (default 2048)\n -locality string\n \tlocality for certificate\n -log-json\n \tuse JSON for log output\n -organization string\n \torganization for cert (default \"scep-client\")\n -ou string\n \torganizational unit for certificate (default \"MDM\")\n -private-key string\n \tprivate key path, if there is no key, scepclient will create one\n -province string\n \tprovince for certificate\n -server-url string\n \tSCEP server url\n -version\n \tprints version information\n```\n\nNote: Make sure to specify the desired endpoint in your `-server-url` value (e.g. `'http://scep.groob.io:2016/scep'`)\n\nTo obtain a certificate through Network Device Enrollment Service (NDES), set `-server-url` to a server that provides NDES.\nThis most likely uses the `/certsrv/mscep` path. You will need to add the `-ca-fingerprint` client argument during this request to specify which CA to use.\n\nIf you're not sure which SHA-256 hash (for a specific CA) to use, you can use the `-debug` flag to print them out for the CAs returned from the SCEP server.\n\n## Docker\n\n```sh\n# first compile the Docker binaries\nCGO_ENABLED=0 make docker\n\n# build the image\ndocker build -t micromdm/scep:latest .\n\n# create CA\ndocker run -it --rm -v /path/to/ca/folder:/depot micromdm/scep:latest ca -init\n\n# run\ndocker run -it --rm -v /path/to/ca/folder:/depot -p 8080:8080 micromdm/scep:latest\n```\n\n## Server library\n\nYou can import the scep endpoint into another Go project. For an example take a look at [scepserver.go](cmd/scepserver/scepserver.go).\n\nThe SCEP server includes a built-in CA/certificate store. This is facilitated by the `Depot` and `CSRSigner` Go interfaces. This certificate storage to happen however you want. It also allows for swapping out the entire CA signer altogether or even using SCEP as a proxy for certificates.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicromdm%2Fscep","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmicromdm%2Fscep","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmicromdm%2Fscep/lists"}