SCEP is dead on Linux

dimko

Member
Joined
Jun 18, 2025
Messages
45
Reaction score
16
Credits
415
Hello, first post here...

There is no good SCEP client on Linux anymore. SSCEP is dead, last merge request that is not committed or refused - 2023.
SSCEP is kicked out from RHEL for that reason.
At best you can get applications that can generate scep requests that are inflexible. You can't submit CSR with them.

How do you deal with this?

This gives me grief. Linux that prides itself to be server/network/encryption bastion - does not have proper client for RFC protocol.
 


I’ve also noticed that SSCEP has not seen any real activity in a while and that several enterprise distros started to phase it out, which is a problem if you rely on SCEP for automated certificate enrollment on Linux servers.

In environments where I can, I’ve seen people slowly moving towards other workflows (ACME for internal PKI, or custom scripts around REST APIs of the CA), but that does not really solve the “no proper SCEP client on Linux” issue, it just works around it.

I’d be very interested as well in hearing if anyone is using a maintained SCEP implementation on Linux in production today, or if the general trend is simply to abandon SCEP in favor of more modern protocols.
 
If you go to Google and type in 'SSCEP Linux replacement', the top-most AI blurb has what looks like it might be useful information. (I haven't had to deal with anything like this for years.)

One of the suggestions in that AI blurb was this:


I don't know how valid it is, but there do appear to be a variety of choices. Might this be something suitable for Certbot or OpenSSL? I'm definitely not up to date, but I do know of those two. As I've retired, I've paid less attention to the enterprise side of things.
 
Hit the same wall. Most setups I've worked with ended up abandoning SCEP — some do manual CSR submission, others switched to different cert tooling. What's your use case?
 


Follow Linux.org

Members online


Top