1. Home
  2. /
  3. Resources
  4. /
  5. #KEYMASTER: Is SCEP Still Relevant in a Post-Quantum World?

#KEYMASTER: Is SCEP Still Relevant in a Post-Quantum World?

hero-sub-3
PKI hierarchies - 1, 2, 3 tiers ?

2026-05-19

In this #KEYMASTER session, host Sven Rajala sits down with Product Architect Mike Agrenius Kushner to explore an increasingly important question in modern cryptography: Is SCEP (Simple Certificate Enrollment Protocol) still relevant in 2026?

With the rise of post-quantum cryptography and evolving security standards, the conversation highlights both the limitations of legacy systems and the emerging paths forward.

Watch video on YouTube

The Legacy of SCEP

SCEP has been around since the late 1990s, designed in an era before modern transport security standards like TLS were widely adopted. Because of this, SCEP relies on encrypting its own payload rather than depending on secure transport layers.

Historically, SCEP worked well because it leveraged RSA keys, which could both sign and encrypt data. This dual capability made it practical and efficient for certificate enrollment workflows, especially in enterprise environments using mobile device management (MDM) systems like Intune.

However, this design assumption is now becoming a major limitation.

The Post-Quantum Problem

As the industry prepares for a post-quantum future, new cryptographic algorithms are being introduced. These algorithms typically specialize in either signing or key encapsulation (encryption)—but not both.

This creates a fundamental incompatibility with SCEP:

  • SCEP depends on a single key performing both signing and encryption.
  • Post-quantum algorithms separate these functions.
  • As a result, SCEP cannot easily adapt without significant changes.

While password-based encryption could theoretically fill the gap, it’s widely considered an insecure and undesirable workaround.

Why SCEP Still Exists

Despite its limitations, SCEP hasn’t disappeared. Its continued use is largely due to:

  • Integration with MDM platforms (notably Microsoft Intune)
  • Limited protocol support in many device management ecosystems
  • The cost and complexity of migrating to newer solutions

In short, organizations are often locked in.

The Future: Three Possible Paths

Mike outlines three potential directions for organizations currently relying on SCEP:

1. Transition to EST (Enrollment over Secure Transport)

EST is often seen as the natural successor to SCEP. It improves security by:

  • Using TLS from the ground up
  • Supporting modern cryptographic methods
  • Offering more flexibility in key management

Even Cisco, which originally developed SCEP, recommends EST as the preferred alternative.

2. Adopt ACME with Device Attestation

ACME (Automated Certificate Management Environment) is gaining traction beyond web certificates.

With device attestation:

  • Certificates can be issued automatically
  • Devices can prove identity via hardware (e.g., TPM)
  • Security can exceed that of both SCEP and EST

This approach also benefits from ongoing innovation in the TLS ecosystem, including features like ACME ARI (Automatic Renewal Information).

3. Update SCEP for Post-Quantum Compatibility

A third option is to extend SCEP itself:

  • New standards (RFCs) are being developed to support post-quantum algorithms
  • This would require updating clients but minimal server-side changes
  • It’s the least disruptive short-term option

However, this approach may only delay the inevitable rather than solve the core design limitations.

So… Update or Replace SCEP?

The answer depends on your organization’s priorities:

  • Low effort / short-term fix → Update SCEP
  • Moderate investment → Move to EST
  • Long-term strategy / best security → Adopt ACME with device attestation

Mike’s conclusion is clear:

While updating SCEP may be easiest today, ACME is likely the best long-term solution.

Key Takeaways

  • SCEP is a legacy protocol that predates modern TLS-based security.
  • Its reliance on RSA makes it incompatible with post-quantum cryptography.
  • Despite its limitations, SCEP persists due to MDM ecosystem constraints.
  • EST offers a more modern and secure alternative with TLS integration.
  • ACME with device attestation provides the strongest long-term path forward.
  • Updating SCEP is possible but may only be a temporary solution.
  • Organizations should begin planning their transition strategy now.

As the post-quantum era approaches, the future of certificate enrollment is clearly shifting. Whether SCEP evolves or fades away, one thing is certain: doing nothing is not an option.

Learn more

Related resources

PKI hierarchies - 1, 2, 3 tiers ?
Implementing Cryptography
Tech Update
Ejbca
Signserver
18 March, 2026

#KEYMASTER: The Future of PKI – When (and Why) to Transition Away from Microsoft PKI

A Modern Perspective on PKI Migration and the Future of Certificate Managemen...
Read more
PKI hierarchies - 1, 2, 3 tiers ?
Implementing Cryptography
Tech Update
Ejbca
Signserver
10 March, 2026

#KEYMASTER: The Good, the Bad, and the Ugly of PKI Standards – How Custom Specifications Create Risks

In this #KEYMASTER session, Sven Rajala sat down with Chief PKI Officer Tomas...
Read more

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close