Certificate management protocols define how systems request, obtain, renew, and revoke digital certificates. Different protocols suit different use cases—what works for web server automation may not fit industrial control systems or legacy network equipment.

Understanding these protocols helps organisations select the right approach for their environment and avoid the complexity of supporting multiple protocols unnecessarily.

Certificate Management Protocol (CMP)

The Certificate Management Protocol, standardised in RFC 4210, provides comprehensive certificate lifecycle management for enterprise PKI environments. CMP distinguishes itself through self-contained security—messages include their own protection mechanisms independent of the transport layer, enabling true end-to-end security.

CMP supports complete lifecycle management: initial certificate requests, updates, renewals, and revocations all through the same protocol. It handles both client-side and server-side key generation, accommodates multiple authentication methods, and supports key pair recovery when needed.

The November 2023 updates to CMP specifications introduced a Lightweight CMP Profile tailored for industrial applications, extending the protocol's applicability to resource-constrained environments. Commercial implementations include Nexus Certificate Manager, Entrust Security Manager, and EJBCA.

Strengths

• Full certificate lifecycle support
• Strong message protection
• Mandatory proof-of-possession
• Polling, nested messages, RA/CA separation
• Transport agnostic

Weaknesses

• More complex to implement
• Requires ASN.1 handling
• Not widely supported by commercial CAs

Automated Certificate Management Environment (ACME)

ACME, defined in RFC 8555, automates certificate lifecycle operations for web-facing services. Let's Encrypt pioneered ACME, proving that fully automated certificate issuance could work at massive scale—the protocol now underlies the majority of TLS certificates issued globally.

ACME's strength lies in its automation of domain control validation through challenge-response mechanisms. The HTTP-01 challenge verifies control by placing a file on the web server. DNS-01 proves control through DNS record creation. TLS-ALPN-01 uses the TLS handshake itself for validation.

Originally designed for public web certificates, ACME is increasingly adopted for internal PKI. Many enterprise certificate management platforms now support ACME, and the Chrome Root Programme requires CA applicants to support at least one automated solution by June 2026.

Strengths

• Designed for automation at scale
• Strong security via JWS, replay prevention, and domain control validation
• Simple JSON/HTTPS interactions
• Excellent tooling (Certbot, win-acme, acme.sh)

Weaknesses

• Primarily focused on TLS server certificates
• Limited lifecycle operations compared to CMP
• Domain validation model doesn't map cleanly to device identity

Enrolment over Secure Transport (EST)

EST, defined in RFC 7030, provides a simpler alternative to CMP for certificate enrolment. It uses HTTPS as its transport, leveraging TLS for security rather than implementing protocol-level protection. This design trades CMP's flexibility for implementation simplicity.

EST suits environments where TLS infrastructure already exists and end-to-end message protection isn't required. It's commonly used for device certificate enrolment in enterprise networks, particularly for mobile device management and IoT deployments where simpler protocols reduce implementation complexity.

Strengths

• Strong security (TLS mutual auth, PoP, confidentiality/integrity via HTTPS)
• Supports enrolment, re-enrolment, CA cert retrieval, server-side keygen
• Good fit for modern devices with HTTPS stacks

Weaknesses

• More complex than SCEP (multiple endpoints, more complex structures)
• Requires full HTTPS/TLS stack, which is heavy for constrained IoT
• Less flexible than CMP
• Adoption still growing; not universal on legacy hardware

Simple Certificate Enrolment Protocol (SCEP)

SCEP emerged in the 1990s for network device certificate enrolment. Despite never achieving formal standardisation beyond an informational RFC, SCEP became widely deployed in network infrastructure—routers, switches, VPN concentrators, and similar equipment often support only SCEP.

SCEP uses HTTP transport with CMS (Cryptographic Message Syntax) for message protection. Its design reflects network device constraints: limited cryptographic capabilities, simple authentication requirements, and the need to work across vendor equipment.

While SCEP remains necessary for legacy equipment, its age shows in security limitations. Newer deployments typically favour EST or CMP where possible, reserving SCEP for devices that support nothing else.

Strengths

• Very simple to implement
• Supported by routers, switches, firewalls, MDMs, and embedded devices
• Lightweight and stable
• Good for environments where device capabilities are limited

Weaknesses

• Weaker security model
• Limited functionality: basic enrolment and renewal only
• Outdated cryptography in many implementations
• Not standards-track—RFC 8894 is Informational, not a standard
• Being replaced by EST in modern ecosystems

Choosing the Right Protocol

Protocol selection depends on your specific requirements. ACME excels for web server automation where domain control validation fits the use case. CMP provides the flexibility and security features required for enterprise PKI serving diverse endpoints. EST offers a simpler alternative when TLS protection suffices. SCEP remains necessary for legacy network equipment.

Many organisations require multiple protocols. Web-facing services use ACME for automation. Internal certificate management platforms implement CMP for enterprise control. Network infrastructure relies on SCEP or EST. The challenge lies in integrating these protocols into a coherent certificate management strategy.

How Unsung Helps with Protocol Implementation

Unsung brings deep expertise across certificate management protocols. We help organisations evaluate their requirements and select appropriate protocols for different use cases within their environment.

Our implementation services deploy and configure protocol support across certificate management platforms including Keyfactor, Microsoft ADCS, EJBCA, and others. We integrate certificate protocols with existing infrastructure—ensuring automation works reliably across diverse systems.

Contact Unsung to discuss which certificate management protocols fit your organisation's needs.