Welcome to OpenSCEP

The test installation is currently being upgraded to 0.4.2, and is thus unavailable

This is OpenSCEP version 0.4.2. See the NEWS file for information about things that have changed, or the ChangeLog for the complete history.

What it is

OpenSCEP is an open source implementation of the SCEP protocol used by Cisco routers for certificate enrollment to build VPNs. It implements most of the draft specification, include as reference in the distribution.

OpenSCEP includes a client and a server implementation, as well as some CGI programs to simplify certificate and revocation list management. The OpenSCEP website http://openscep.othello.ch is at the same time a working installation of OpenSCEP, you can thus try OpenSCEP without having to install it first.

There also is a mailing list about OpenSCEP. To subscribe, send a message to majordomo@lists.othello.ch with the strings subscribe openscep in the body. You must be a list member to post to the list, this seems to be a necessary precaution in todays crazy Internet.


OpenSCEP uses OpenSSL's crypto library, extended by some functions specific to SCEP (version 0.9.6 was used for development and is the only tested version so far).

As SCEP is based on HTTP, it principally consists in some CGI programs plus some tools for certificate management. The installations known to me all use an Apache server, although no particular functions from apache are used. It is expected that just about any HTTP server capable of executing CGI programs can be used for OpenSCEP.

As it is expected that a SCEP server also allows clients to find its certificate revokation list in an LDAP directory, OpenSCEP expects to find an OpenLDAP server (tested: 2.0.7) to store client definitions, certificates and CRLs. However, Cisco routers currently are unable to retrieve CRLs from a sensible location of an LDAP directory (they expect to find them in the root node), so this feature will only be useful when Cisco finally fixes their IOS code.

Related Software

Certificates issued by OpenSCEP are stored in the directory in a form so that they can be directly used by mod_authz_ldap the LDAP certificate authorization module for the apache web server.

OpenSCEP was mainly tested with Cisco Routers. An non-free embeddable PKI toolkit implementing SCEP client functionality is available from http://security.dstc.com/products/upki, but there seems to be an interoperability problem, which has not quite been been sorted out yet as of version 0.4.2 of OpenSCEP.


The code that deals with user certificates (not the unstructuredName type distinguished names) is not completely tested (Udo Woehler contributed fixes, but I'm not sure I applied everything correctly). However, this should not be a problem for applications involving Cisco routers.

There were some problems with Cisco's IOS. Thanks to a surprising (to me, that is) offer for help from Cisco, these are now being fixed.

License and Download

OpenSCEP is available under the terms of the GNU General Public License GPL. It can be downloaded from http://openscep.othello.ch/download/openscep-0.4.2.tar.gz (310kB).

For easier installation on Solaris systems, a binary package is provided in http://openscep.othello.ch/OpenSCEP-0.4.2.tar.gz (2615kB). Note that the package will only work, if you have packages perl, OpenLDAP and OpenSSL on the default paths set by their respective configuration scripts. If you haven't, you will need to build OpenSCEP from source. Packages on http://www.sunfreeware.com/ usually are available in a version that installs into /usr/local, which should be ok OpenSCEP.


Support by a sponsor in the form of router hardware for tests and financing during the initial phases of the project were instrumental in bringing this project to live. They also opened a channel to Cisco technical support, although so far information has only flown from OpenSCEP to Cisco in the form of bug reports.

To learn to use OpenSSL and for some help in understanding the SCEP specification, reading the source code of the SCEP implementation of the OpenOSP project were very helpful, although not directly usable as the SCEP part of OpenOSP is rather minimal (only unauthenticated automatic enrollment).

© 2001 The OpenSCEP Project
$Id: welcome.html.in,v 1.15 2001/10/30 13:54:39 afm Exp $