Skip to content

A small, slightly opinionated SQL-backed SCEP server written in Go.


Notifications You must be signed in to change notification settings


Repository files navigation



mysqlscepserver is a small, slightly opinionated SCEP server. It uses a MySQL backend for the CA's storage. mysqlscepserver is largely based on the MicroMDM SCEP server.


The included SCEP server and CA are very basic and lack critical security-related features. You are encouraged to explore a more robust solution such as As alluded to in this blog post this project's SCEP server will not likely be supported in the future.

Getting the latest version

  • Release .zip files containing the server should be attached to every GitHub release.
    • Release zips are also published for every main branch commit.
  • A Docker container is built and published to the registry for every release.
    • docker pull run
    • A Docker container is also published for every main branch commit (and tagged with :main)
  • If you have a Go toolchain installed you can checkout the source and simply run make.


Either download a release, run Docker, or build from source (below). Once you have the binary, go ahead and run it:

MySQL setup and configuration is out of scope for this documentation. But suffice it to say you need a database to connect to with the tables in the schema.sql file.

$ ./mysqlscepserver-darwin-amd64
must supply DSN, CA pass, and API key
Usage of ./mysqlscepserver-darwin-amd64:
  -api string
    	API key for challenge API endpoints
  -capass string
    	passwd for the ca.key
  -challenge string
    	static challenge password (disables dynamic challenges)
    	enable debug logging
  -dsn string
    	SQL data source name (connection string)
  -listen string
    	port to listen on (default ":8080")
    	print version and exit

As the error states, we need to specify a MySQL DSN, CA password, and an API key:

$ ./mysqlscepserver-darwin-amd64 -dsn 'scepuser:scepsecret@tcp(' -capass casecret -api apisecret
level=info ts=2021-05-29T19:01:00.755984Z caller=main.go:102 transport=http listen=:8080 msg=listening

The DSN is in the form that the MySQL driver expects.

Environment variables can be used instead of command line switches as follows:

Environment Variable Equivalent Switch
SCEP_CA_PASS -capass

Challenge API

If a static challenge is not specified on the command line then the server uses to SCEP challenges to authenticate SCEP requests. The server has an API for generating one-time-use SCEP challanges:

$ curl -u api:apisecret http://localhost:8080/challenge && echo
	"challenge": "7nA8+ljk0EwHNcXCADFOCJQ4D/G9xOY9"

This challenge can then be used by a SCEP client to authenticate their SCEP request.


Have the Go tools installed, checkout the code, then run make:

$ make
GOOS=darwin GOARCH=amd64 go build -ldflags "-X main.version=v0.1.0" -o mysqlscepserver-darwin-amd64 ./

Docker build and run

To manually build a Docker image from the source and run it you could do something like this. Note, per above, we also publish Docker images to GHCR.

make docker
docker build --tag jessepeterson/mysqlscepserver:source .
docker run -it --rm -p 8080:8080 jessepeterson/mysqlscepserver:source -dsn 'scepuser:scepsecret@tcp(' -capass casecret -api apisecret


A small, slightly opinionated SQL-backed SCEP server written in Go.








Contributors 3
