ScepServer – Certificate Management & SCEP

About

ScepServer is a production-ready, standards-compliant Simple Certificate Enrollment Protocol (SCEP) server and certificate management portal. It enables secure, automated certificate issuance, renewal, and revocation for managed devices, supporting scalable PKI workflows in modern enterprise environments.

Features

Automated certificate issuance, renewal, and revocation
Certificate Revocation List (CRL) generation and status tracking
Multi-tenant/company support
Device enrollment and management
Audit logging for all certificate operations
RESTful API endpoints for admin operations
Demo data seeding for development/testing
Extensible, clean architecture with SOLID principles
Built with .NET 8, ASP.NET Core, and Entity Framework Core

Tech Stack

Backend

.NET 8, ASP.NET Core, Entity Framework Core

Database

SQLite (default), SQL Server, PostgreSQL

Frontend

Razor Pages (admin UI)

Other

Dependency Injection, Logging

Usage

Admin UI

Access: https://localhost:5001/ after running the app.
Navigation: Intuitive sidebar and dashboard for fast access to all management areas.
Management: Companies, devices, certificates, CRL, and logs in a unified interface.
Search & Filter: Quickly find records with instant search and advanced filters.
Visual Status: Color-coded indicators for certificate and device health.
Responsive: Works on desktop, tablet, and mobile browsers.

**Dashboard:** The central hub for administrators. Instantly see certificate inventory, active/revoked/expired counts, recent events, and system health. Quick links let you jump to any management area. Alerts and notifications highlight urgent actions, such as expiring certificates or failed enrollments. Designed for clarity and at-a-glance monitoring.

**Companies:** Multi-tenant/company management. Add, edit, or deactivate companies. Assign SCEP challenge passwords, view per-company statistics, and drill down into company-specific devices and certificates. Ideal for MSPs, large organizations, or any environment with multiple business units or customers.

**Devices:** Complete device inventory. Search, filter, and manage all enrolled devices. See device identifiers, display names, company association, last seen timestamps, and enrollment status. Track device lifecycle, certificate assignments, and quickly identify inactive or problematic devices.

**Certificates:** Full certificate lifecycle management. View all issued certificates, inspect details (subject, serial, validity, status), filter by company/device, and perform actions such as revocation or renewal. Visual indicators for certificate state (active, expired, revoked) and quick access to certificate history.

**CRL Management:** Manage Certificate Revocation Lists with ease. Generate, schedule, and review CRLs. See CRL version, last/next update, and revoked certificate serials. Initiate manual CRL generation, monitor CRL distribution, and ensure compliance with PKI best practices. Visual feedback for CRL health and update status.

**Issuance Logs:** A comprehensive, filterable audit log of all certificate operations: issuance, renewal, revocation, and CRL events. Includes timestamps, operation status, client IP, and human-readable messages. Essential for compliance, troubleshooting, and security investigations.

Mobile SCEP Testing (Droid_SCEP)

This solution has been tested with the Droid_SCEP Android app for mobile certificate enrollment and management.
Example test flows:

Droid_SCEP Test 1 — **Test 1:** Initial SCEP enrollment flow. The app successfully connects to the ScepServer endpoint, retrieves the CA certificate, and initiates the enrollment process. This confirms that the server is correctly configured to handle SCEP requests from mobile clients.

Droid_SCEP Test 2 — **Test 2:** Certificate request submission. The app generates a certificate signing request (CSR) and submits it to the ScepServer. The server processes the request and issues a certificate, which is then installed on the device. This demonstrates the end-to-end SCEP enrollment workflow.

Droid_SCEP Test 3 — **Test 3:** Certificate management. After enrollment, the app displays the issued certificate details, including subject, issuer, validity period, and status. This confirms that the ScepServer is correctly issuing certificates and that the mobile client can retrieve and display certificate information.

Droid_SCEP Test 4 — **Test 4:** Certificate management. After enrollment, the app displays the issued certificate details, including subject, issuer, validity period, and status. The app also monitors the number of days remaining before certificate expiration and warns the user when the certificate is approaching expiration. This demonstrates proactive certificate lifecycle management and user notification capabilities.

API Overview

Key endpoints:

Enroll Certificate: POST /scep/pkiclient.exe
Revoke Certificate: POST /api/operations/revoke
Generate CRL: POST /api/operations/crl/generate
Get CRL Status: GET /api/operations/crl/status

See README for request/response examples.

Contact

Maintainer: Manuel Rodríguez Camacho

GitHub | LinkedIn