Comparison of ACME, EST, SCEP, and CMPv2 Protocols for Certificate Acquisition
25 Jun 2025 | Jindřich Zechmeister
Automation of digital certificate management is crucial for modern IT environments – from web servers and mobile devices to enterprise PKI. There are several protocols used to obtain certificates from certificate authorities (CAs). In this article, we compare the four most widely used protocols: ACME, EST, SCEP, and CMPv2.
Comparison of Automation Protocols for Certificates
Today's IT world is driven by the topic of TLS certificate automation, motivated by their imminent reduction in validity to 47 days. Let's take a closer look at the most widespread protocols for obtaining TLS certificates and how you can use them. All the mentioned protocols allow for automated certificate acquisition – whether it's a simple web deployment using ACME, device management via SCEP or EST, or enterprise scenarios with full control using CMPv2.
Let's take a closer look at each protocol.
ACME – Automatic Certificate Management Environment
ACME is a modern protocol that automates the acquisition and renewal of certificates; it is supported by major CAs like DigiCert. It communicates via HTTPS and uses domain validation (DNS or HTTP).
- Advantages: simplicity, widespread support, full automation
- Disadvantages: limited use outside TLS/web certificates
EST – Enrollment over Secure Transport
EST is a more secure successor to SCEP. It uses HTTPS and allows verification using TLS client certificates or so-called enrollment codes. It is often used in IoT and enterprise networks.
- Advantages: strong encryption, support for mutual authentication
- Disadvantages: more complex implementation, less widespread
SCEP – Simple Certificate Enrollment Protocol
SCEP is an older and simpler protocol widely used in network devices (e.g., Cisco) and MDM solutions. Authentication is performed using a static password known as a challenge password.
- Advantages: wide support, simplicity
- Disadvantages: weaker security, limited functionality
CMPv2 – Certificate Management Protocol v2
CMPv2 is a comprehensive protocol for managing certificates throughout their lifecycle – including issuance, renewal, revocation, and key updates. It is mainly intended for enterprise environments and telecom.
- Advantages: robust, flexible, complete PKI support
- Disadvantages: higher complexity, more complicated deployment
Comparison Table
| Feature / Protocol | ACME | EST | SCEP | CMPv2 |
|---|---|---|---|---|
| Primary Use | Web/TLS certificates | IoT, devices | MDM, networks | Enterprise PKI |
| Transport | HTTPS (REST) | HTTPS | HTTP | HTTP(S), TCP |
| Authentication | DNS/HTTP validation | TLS cert., enrollment code | Challenge password | Flexible (PKI) |
| Certificate Renewal | ✅ Yes | ✅ Yes | ⚠️ Limited | ✅ Full |
| Certificate Revocation | ⚠️ Limited | ⚠️ Possible | ❌ No | ✅ Yes |
| Encryption Support | Modern | Modern | Obsolete | Modern |
| Simplicity | ✅ Simple | ⚠️ Medium | ✅ Simple | ❌ Complex |
| Standardization | RFC 8555 | RFC 7030 | Cisco/IETF draft | RFC 4210 |
| Certificate Automation | ✅ Full automation | ✅ Partial automation | ✅ Basic automation | ✅ Full automation |
How to Use These Protocols?
The ACME protocol is available to every customer for free at SSLmarket. Thanks to this, you can automate the issuance and renewal of TLS certificates without additional costs and complex configuration. Simply log into your customer administration and click on the ACME link in the top menu. Then create free EAB ACME DigiCert access.
All four mentioned protocols – ACME, EST, SCEP, and CMPv2 – are supported in the DigiCert Trust Lifecycle Manager solution, which serves as a central platform for managing certificates and key material throughout the organization. It allows for secure and automated deployment of certificates across various environments (on-premise, cloud, hybrid) and supports integration with MDM, DevOps, and network infrastructure. More information about DigiCert Trust Lifecycle Manager can be found on its product page.
Conclusion
The choice of the right protocol depends on the specific scenario. ACME is ideal for automating TLS certificates, EST for modern IoT and devices, SCEP for legacy infrastructures, and CMPv2 for fully managed PKI in enterprise environments. Proper integration of these protocols can significantly simplify certificate management and increase the security of the entire infrastructure.
ACME can be used by any SSLmarket customer for free; for a comprehensive solution, we recommend DigiCert Trust Lifecycle Manager. We would be happy to demonstrate it to you.
TLS certificate specialist
Certificated Sales Expert Plus
e-mail: jindrich.zechmeister(at)zoner.com
