feat(M51): add SCEP server (RFC 8894) for MDM and network device enrollment

Implements Simple Certificate Enrollment Protocol with single-endpoint
operation-based dispatch (GetCACaps, GetCACert, PKIOperation), PKCS#7
SignedData CSR extraction with fallback for raw/base64 CSR, challenge
password authentication via CSR attributes, and shared internal/pkcs7
package extracted from EST handler to eliminate code duplication.

24 new tests (11 service + 13 handler) plus 5 shared pkcs7 package tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

LICENSE

@@ -6,13 +6,20 @@ Licensor:             Shankar Reddy
 Licensed Work:        certctl
                       The Licensed Work is (c) 2026 Shankar Reddy.
 Additional Use Grant: You may make use of the Licensed Work, provided that
-                      you may not use the Licensed Work for a Certificate
-                      Management Service. A "Certificate Management Service"
-                      is a commercial offering that allows third parties
-                      (other than your employees and contractors acting on
-                      your behalf) to access and/or use the Licensed Work's
-                      certificate lifecycle management functionality as part
-                      of a hosted or managed service.
+                      you may not use the Licensed Work for a Commercial
+                      Certificate Service. A "Commercial Certificate Service"
+                      is any product, service, or offering in which a third
+                      party (other than your employees and contractors
+                      acting on your behalf) accesses, uses, or benefits
+                      from the Licensed Work's certificate management
+                      functionality — including but not limited to lifecycle
+                      management, discovery, monitoring, alerting, renewal
+                      automation, deployment, and revocation — as part of
+                      or in connection with an offering for which
+                      compensation is received. This restriction applies
+                      regardless of whether the Licensed Work is hosted,
+                      managed, embedded, bundled, or integrated with
+                      another product or service.
 
 Change Date:          March 14, 2033
 

README.md

@@ -70,9 +70,11 @@ For a detailed comparison with other competitors and enterprise platforms, see [
 
 - **Everything is auditable.** Immutable append-only audit trail records every lifecycle action, every API call, and every approval decision. Certificate digest emails deliver daily briefings. Prometheus metrics endpoint for Grafana dashboards.
 
-- **Multiple interfaces for different workflows.** REST API for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), EST server (RFC 7030) for device enrollment, Helm chart for Kubernetes, and the web dashboard for day-to-day operations.
+- **Standards-based protocol support.** EST server (RFC 7030) for device and WiFi certificate enrollment. SCEP server (RFC 8894) for MDM platforms and network device enrollment. ACME ARI (RFC 9773) for CA-directed renewal timing. S/MIME certificate issuance with email protection EKU for end-to-end encrypted email. DER-encoded X.509 CRL and embedded OCSP responder for revocation infrastructure.
 
-For the full capability breakdown — revocation infrastructure (CRL + OCSP), policy engine, certificate profiles, S/MIME support, approval workflows, and more — see the [Feature Inventory](docs/features.md).
+- **Multiple interfaces for different workflows.** REST API (107 routes) for automation, CLI for scripting, MCP server for AI assistants (Claude, Cursor, Windsurf), Helm chart for Kubernetes, and the web dashboard (24 pages) for day-to-day operations.
+
+For the full capability breakdown, including the policy engine, certificate profiles, approval workflows, certificate export (PEM/PKCS#12), and more, see the [Feature Inventory](docs/features.md).
 
 ## Supported Integrations
 
@@ -84,13 +86,11 @@ For the full capability breakdown — revocation infrastructure (CRL + OCSP), po
 | ACME EAB (ZeroSSL, Google Trust) | Implemented (auto-fetch EAB from ZeroSSL) | `ACME` |
 | step-ca | Implemented | `StepCA` |
 | OpenSSL / Custom CA | Implemented | `OpenSSL` |
-| Vault PKI | Beta | `VaultPKI` |
-| DigiCert CertCentral | Beta | `DigiCert` |
-| Sectigo SCM | Beta | `Sectigo` |
-| Google CAS | Beta | `GoogleCAS` |
-| AWS ACM Private CA | Beta | `AWSACMPCA` |
-
-**Vault PKI, DigiCert, Sectigo, Google CAS, and AWS ACM PCA connectors are in beta.** If you hit any bugs or unexpected behavior, please [open a GitHub issue](https://github.com/shankar0123/certctl/issues) -- we're actively testing these and want to hear from real users.
+| Vault PKI | Implemented | `VaultPKI` |
+| DigiCert CertCentral | Implemented | `DigiCert` |
+| Sectigo SCM | Implemented | `Sectigo` |
+| Google CAS | Implemented | `GoogleCAS` |
+| AWS ACM Private CA | Implemented | `AWSACMPCA` |
 
 **Note:** ADCS integration is handled via the Local CA's sub-CA mode — certctl operates as a subordinate CA with its signing certificate issued by ADCS. Any CA with a shell-accessible signing interface can be integrated today via the OpenSSL/Custom CA connector.
 
@@ -106,11 +106,11 @@ For the full capability breakdown — revocation infrastructure (CRL + OCSP), po
 | Postfix | Implemented | `Postfix` |
 | Dovecot | Implemented | `Dovecot` |
 | Microsoft IIS | Implemented (local + WinRM) | `IIS` |
-| F5 BIG-IP | Beta | `F5` |
-| SSH (Agentless) | Beta | `SSH` |
+| F5 BIG-IP | Implemented (proxy agent) | `F5` |
+| SSH (Agentless) | Implemented | `SSH` |
 | Windows Cert Store | Implemented | `WinCertStore` |
 | Java Keystore | Implemented | `JavaKeystore` |
-| Kubernetes Secrets | Coming in 2.1 | `KubernetesSecrets` |
+| Kubernetes Secrets | Implemented | `KubernetesSecrets` |
 
 ### Notifiers
 | Notifier | Status | Type |
@@ -166,7 +166,7 @@ docker compose -f deploy/docker-compose.yml up -d --build
 
 Wait ~30 seconds, then open **http://localhost:8443** in your browser. The onboarding wizard walks you through connecting a CA, deploying an agent, and issuing your first certificate.
 
-**Want a pre-populated demo instead?** Add the demo override to see 32 certificates across 7 issuers, 8 agents, and 180 days of realistic history:
+**Want a pre-populated demo instead?** Add the demo override to see 32 certificates across 10 issuers, 8 agents, and 180 days of realistic history:
 
 ```bash
 docker compose -f deploy/docker-compose.yml -f deploy/docker-compose.demo.yml up -d --build
@@ -187,6 +187,16 @@ curl -sSL https://raw.githubusercontent.com/shankar0123/certctl/master/install-a
 
 Detects your OS and architecture, downloads the binary, configures systemd (Linux) or launchd (macOS), and starts the agent. See [install-agent.sh](install-agent.sh) for details.
 
+### Helm Chart (Kubernetes)
+
+```bash
+helm install certctl deploy/helm/certctl/ \
+  --set server.apiKey=your-api-key \
+  --set postgres.password=your-db-password
+```
+
+Production-ready chart with Server Deployment, PostgreSQL StatefulSet, Agent DaemonSet, health probes, security contexts (non-root, read-only rootfs), and optional Ingress. See [values.yaml](deploy/helm/certctl/values.yaml) for all configuration options.
+
 ### Docker Pull
 
 ```bash
@@ -313,17 +323,17 @@ Core lifecycle management — Local CA + ACME v2 issuers, NGINX target connector
 ### V2: Operational Maturity — Shipped
 30+ milestones, extensively tested with CI-enforced coverage gates. Sub-CA mode, ACME DNS-01/DNS-PERSIST-01, step-ca, Vault PKI, DigiCert CertCentral, OpenSSL/Custom CA issuers. NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS targets. RFC 5280 revocation with CRL + OCSP. Certificate profiles, ownership tracking, approval workflows. Filesystem and network certificate discovery. Prometheus metrics, dashboard charts, agent fleet overview. EST server (RFC 7030), ACME ARI (RFC 9773), certificate export, S/MIME support, Helm chart, MCP server, CLI, scheduled digest emails. Slack, Teams, PagerDuty, OpsGenie, SMTP notifications. Compliance mapping (SOC 2, PCI-DSS 4.0, NIST SP 800-57). See the [Feature Inventory](docs/features.md) for details.
 
-**Coming in v2.1.0:** Dynamic issuer and target configuration via GUI (no env var restarts), first-run onboarding wizard.
+Dynamic issuer and target configuration via GUI (no env var restarts), first-run onboarding wizard, Sectigo SCM, Google CAS, AWS ACM Private CA issuers, IIS (WinRM), F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore, and Kubernetes Secrets target connectors.
 
 ### V3: certctl Pro
 Team access controls and identity provider integration (OIDC/SSO). Role-based access control with profile-gating. Event-driven architecture (NATS) with real-time operational views. Advanced search DSL, compliance and risk scoring, bulk fleet operations.
 
-### V4+: Cloud, Scale & Passive Discovery
-Passive network discovery (TLS listener), Kubernetes integration (cert-manager external issuer, Secrets target), cloud infrastructure targets (AWS ALB/ACM, Azure Key Vault), extended CA support (Entrust, GlobalSign, EJBCA), and platform-scale features (Terraform provider, multi-tenancy, HSM support).
+### V4+: Cloud & Scale
+Continuous TLS health monitoring, cloud secret manager discovery, Kubernetes cert-manager external issuer, cloud infrastructure targets, extended CA support (Entrust, GlobalSign, EJBCA), and platform-scale features (Terraform provider, multi-tenancy).
 
 ## License
 
-Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not offer certctl as a managed/hosted certificate management service to third parties. The BSL 1.1 license converts automatically to Apache 2.0 on March 1, 2033, providing perpetual freedom.
+Certctl is licensed under the [Business Source License 1.1](LICENSE). The source code is publicly available and free to use, modify, and self-host. The one restriction: you may not use certctl's certificate management functionality as part of a commercial offering to third parties, whether hosted, managed, embedded, bundled, or integrated. The BSL 1.1 license converts automatically to Apache 2.0 on March 14, 2033.
 
 For licensing inquiries: certctl@proton.me
 

cmd/server/main.go

@@ -339,6 +339,26 @@ func main() {
 			"endpoints", "/.well-known/est/{cacerts,simpleenroll,simplereenroll,csrattrs}")
 	}
 
+	// Register SCEP (RFC 8894) handlers if enabled
+	if cfg.SCEP.Enabled {
+		issuerConn, ok := issuerRegistry.Get(cfg.SCEP.IssuerID)
+		if !ok {
+			logger.Error("SCEP issuer not found in registry", "issuer_id", cfg.SCEP.IssuerID)
+			os.Exit(1)
+		}
+		scepService := service.NewSCEPService(cfg.SCEP.IssuerID, issuerConn, auditService, logger, cfg.SCEP.ChallengePassword)
+		if cfg.SCEP.ProfileID != "" {
+			scepService.SetProfileID(cfg.SCEP.ProfileID)
+		}
+		scepHandler := handler.NewSCEPHandler(scepService)
+		apiRouter.RegisterSCEPHandlers(scepHandler)
+		logger.Info("SCEP server enabled",
+			"issuer_id", cfg.SCEP.IssuerID,
+			"profile_id", cfg.SCEP.ProfileID,
+			"challenge_password_set", cfg.SCEP.ChallengePassword != "",
+			"endpoints", "/scep?operation={GetCACaps,GetCACert,PKIOperation}")
+	}
+
 	logger.Info("registered all API handlers")
 
 	// Build middleware stack

deploy/docker-compose.demo.yml

@@ -1,4 +1,4 @@
-# Demo mode: pre-populated dashboard with 15 certificates, 5 agents, issuers, etc.
+# Demo mode: pre-populated dashboard with 32 certificates, 8 agents, 10 issuers, etc.
 # Use this to showcase certctl's dashboard with realistic data.
 #
 # Usage:

docs/architecture.md

@@ -82,6 +82,9 @@ flowchart TB
         CA4["OpenSSL / Custom CA\n(script-based)"]
         CA6["Vault PKI\n(token auth, /sign API)"]
         CA7["DigiCert CertCentral\n(async order model)"]
+        CA8["Sectigo SCM\n(async order model)"]
+        CA9["Google CAS\n(OAuth2, sync)"]
+        CA10["AWS ACM PCA\n(sync issuance)"]
     end
 
     subgraph "Target Systems"
@@ -95,6 +98,9 @@ flowchart TB
         T2["F5 BIG-IP\n(proxy agent + iControl REST)"]
         T3["IIS\n(WinRM + local)"]
         T10["SSH\n(SFTP + reload)"]
+        T11["WinCertStore\n(PowerShell import)"]
+        T12["Java Keystore\n(keytool pipeline)"]
+        T13["Kubernetes Secrets\n(K8s API)"]
     end
 
     DASH --> API
@@ -102,7 +108,7 @@ flowchart TB
     SVC --> REPO
     REPO --> PG
     SCHED --> SVC
-    SVC -->|"Issue/Renew"| CA1 & CA2 & CA3 & CA4 & CA6 & CA7
+    SVC -->|"Issue/Renew"| CA1 & CA2 & CA3 & CA4 & CA6 & CA7 & CA8 & CA9 & CA10
 
     A1 & A2 & A3 -->|"CSR + Heartbeat"| API
     API -->|"Cert + Chain\n(NO private key)"| A1 & A2 & A3
@@ -122,7 +128,7 @@ The server exposes a REST API under `/api/v1/` and optionally serves the web das
 
 ### Agents
 
-Lightweight Go processes that run on or near your infrastructure. Agents generate ECDSA P-256 private keys locally, create CSRs, and submit them to the control plane for signing — private keys never leave agent infrastructure. Agents also handle certificate deployment to target systems (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS, F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore) and report job status. They communicate with the control plane via HTTP and authenticate with API keys.
+Lightweight Go processes that run on or near your infrastructure. Agents generate ECDSA P-256 private keys locally, create CSRs, and submit them to the control plane for signing — private keys never leave agent infrastructure. Agents also handle certificate deployment to target systems (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS, F5 BIG-IP, SSH, Windows Certificate Store, Java Keystore, Kubernetes Secrets) and report job status. They communicate with the control plane via HTTP and authenticate with API keys.
 
 The agent runs two background loops: a heartbeat (every 60 seconds) to signal it's alive, and a work poll (every 30 seconds) to check for actionable jobs via `GET /api/v1/agents/{id}/work`. Jobs may be `AwaitingCSR` (agent needs to generate key + submit CSR) or `Deployment` (agent needs to deploy a certificate). Private keys are stored in `CERTCTL_KEY_DIR` (default `/var/lib/certctl/keys`) with 0600 permissions.
 
@@ -134,7 +140,7 @@ The agent runs two background loops: a heartbeat (every 60 seconds) to signal it
 
 The web dashboard is the primary operational interface for certctl. It is built with Vite + React + TypeScript and uses TanStack Query for server state management (caching, background refetching, optimistic updates).
 
-**Current views** (21 pages): certificate inventory (list with multi-select bulk operations + "New Certificate" creation modal + detail with deployment status timeline, inline policy/profile editor, version history, deploy, revoke, archive, and trigger renewal actions), agent fleet (list + detail with system info + OS/architecture grouping with charts), job queue (status, retry, cancel, approve/reject for AwaitingApproval jobs), notification inbox (threshold alert grouping, mark-as-read), audit trail (time range, actor, action filters + CSV/JSON export), policy management (rules with enable/disable toggle + delete + violations), issuers (list with test connection + delete), targets (list with 3-step configuration wizard + delete), owners (list with team resolution + delete), teams (list with delete), agent groups (list with dynamic match criteria badges + enable/disable + delete), certificate profiles (list with crypto constraints), short-lived credentials dashboard (TTL countdown, profile filtering, auto-refresh), discovered certificates triage (claim/dismiss unmanaged certs discovered by agents or network scans), network scan targets management (CRUD for network scan targets + Scan Now button), summary dashboard with charts (expiration heatmap, renewal success rate, status distribution, issuance rate), and login page.
+**Current views** (24 pages): certificate inventory (list with multi-select bulk operations + "New Certificate" creation modal + detail with deployment status timeline, inline policy/profile editor, version history, deploy, revoke, archive, and trigger renewal actions), agent fleet (list + detail with system info + OS/architecture grouping with charts), job queue (list + detail with verification section, timeline, audit events; approve/reject for AwaitingApproval jobs), notification inbox (threshold alert grouping, mark-as-read), audit trail (time range, actor, action filters + CSV/JSON export), policy management (rules with enable/disable toggle + delete + violations), issuers (catalog with 10 type cards + 3-step create wizard + detail with test connection), targets (list with 3-step configuration wizard + detail with deployment history), owners (list with team resolution + delete), teams (list with delete), agent groups (list with dynamic match criteria badges + enable/disable + delete), certificate profiles (list with crypto constraints), short-lived credentials dashboard (TTL countdown, profile filtering, auto-refresh), discovered certificates triage (claim/dismiss unmanaged certs discovered by agents or network scans), network scan targets management (CRUD + Scan Now button), summary dashboard with charts (expiration heatmap, renewal success rate, status distribution, issuance rate), digest preview and send, observability (health, metrics, Prometheus config), and login page.
 
 The dashboard includes an **ErrorBoundary component** for graceful error recovery — if a view crashes, the boundary catches the error and displays a user-friendly message instead of breaking the entire dashboard. It also includes a **demo mode** that activates when the API is unreachable — it renders realistic mock data for screenshots and offline presentations.
 
@@ -510,12 +516,13 @@ flowchart TB
         II["IssuerConnector Interface\nIssueCertificate() | RenewCertificate()\nRevokeCertificate() | GetOrderStatus()"]
         II --> LC["Local CA"]
         II --> ACME["ACME v2"]
-        II --> SC["step-ca"]
+        II --> SCA["step-ca"]
         II --> OC["OpenSSL / Custom CA"]
         II --> VP["Vault PKI"]
         II --> DC["DigiCert CertCentral"]
         II --> SG["Sectigo SCM"]
         II --> GC["Google CAS"]
+        II --> AP2["AWS ACM PCA"]
     end
 
     subgraph "Target Connectors"
@@ -530,7 +537,10 @@ flowchart TB
         TI --> PO["Postfix/Dovecot"]
         TI --> IIS["IIS"]
         TI --> F5["F5 BIG-IP"]
-        TI --> SC["SSH"]
+        TI --> SSH["SSH"]
+        TI --> WCS["WinCertStore"]
+        TI --> JKS["Java Keystore"]
+        TI --> K8S["K8s Secrets"]
     end
 
     subgraph "Notifier Connectors"
@@ -582,7 +592,7 @@ type Connector interface {
 }
 ```
 
-Built-in issuers: **Local CA** (self-signed or sub-CA mode using `crypto/x509`), **ACME v2** (HTTP-01, DNS-01, and DNS-PERSIST-01 challenges, compatible with Let's Encrypt, ZeroSSL, Sectigo, Google Trust Services, and any ACME-compliant CA), **step-ca** (Smallstep private CA via native /sign API with JWK provisioner auth), **OpenSSL/Custom CA** (script-based signing delegating to user-provided shell scripts), **Vault PKI** (HashiCorp Vault's PKI secrets engine via /sign API with token auth), and **DigiCert** (commercial CA via CertCentral REST API with async order processing). The ACME connector uses `golang.org/x/crypto/acme`, generates an ECDSA P-256 account key, handles account registration with ToS acceptance and optional External Account Binding (EAB) for CAs that require it (ZeroSSL, Google Trust Services, SSL.com), order creation, challenge solving (HTTP-01 via built-in server, DNS-01 via script-based hooks, DNS-PERSIST-01 via standing TXT records with auto-fallback to DNS-01), order finalization, and DER-to-PEM chain conversion. For ZeroSSL, EAB credentials are auto-fetched from ZeroSSL's public API when the directory URL is detected as ZeroSSL and no EAB credentials are provided — zero-friction onboarding with no dashboard visit required.
+Built-in issuers (9 connectors): **Local CA** (self-signed or sub-CA mode using `crypto/x509`), **ACME v2** (HTTP-01, DNS-01, and DNS-PERSIST-01 challenges, compatible with Let's Encrypt, ZeroSSL, Sectigo, Google Trust Services, and any ACME-compliant CA), **step-ca** (Smallstep private CA via native /sign API with JWK provisioner auth), **OpenSSL/Custom CA** (script-based signing delegating to user-provided shell scripts), **Vault PKI** (HashiCorp Vault's PKI secrets engine via /sign API with token auth), **DigiCert** (commercial CA via CertCentral REST API with async order processing), **Sectigo SCM** (async order model with 3-header auth), **Google CAS** (Cloud Certificate Authority Service with OAuth2 service account auth), and **AWS ACM Private CA** (synchronous issuance via ACM PCA API). The ACME connector uses `golang.org/x/crypto/acme`, generates an ECDSA P-256 account key, handles account registration with ToS acceptance and optional External Account Binding (EAB) for CAs that require it (ZeroSSL, Google Trust Services, SSL.com), order creation, challenge solving (HTTP-01 via built-in server, DNS-01 via script-based hooks, DNS-PERSIST-01 via standing TXT records with auto-fallback to DNS-01), order finalization, and DER-to-PEM chain conversion. For ZeroSSL, EAB credentials are auto-fetched from ZeroSSL's public API when the directory URL is detected as ZeroSSL and no EAB credentials are provided — zero-friction onboarding with no dashboard visit required.
 
 **ACME Renewal Information (ARI, RFC 9773):** The ACME connector supports CA-directed renewal timing via the `GetRenewalInfo()` method. Instead of using fixed thresholds (e.g., renew 30 days before expiry), the CA tells certctl when to renew by providing a `suggestedWindow` with start and end times. This is useful for distributing renewal load during maintenance windows and coordinating mass-revocation scenarios. Enable with `CERTCTL_ACME_ARI_ENABLED=true`. Cert ID is computed as `base64url(SHA-256(DER cert))` per RFC 9773. If the CA doesn't support ARI (404 from the ARI endpoint), certctl automatically falls back to threshold-based renewal — no operator intervention required. Errors from the CA are logged as warnings.
 
@@ -602,11 +612,11 @@ type Connector interface {
 
 The `DeploymentRequest` struct carries the full material needed by the target system: the signed certificate, the CA chain, the agent-generated private key, target-specific configuration, and arbitrary metadata. The key field is populated by the agent from its local key store (`CERTCTL_KEY_DIR`) — it never originates from the control plane.
 
-Built-in targets: **NGINX** (writes cert/chain/key files, validates with `nginx -t`, reloads), **Apache httpd** (writes cert/chain/key files, validates with `apachectl configtest`, graceful reload), **HAProxy** (combined PEM file with cert+chain+key, validates config, reloads via systemctl/signal), **Traefik** (file provider — writes cert/key to watched directory, Traefik auto-reloads), **Caddy** (dual-mode: admin API hot-reload or file-based), **Envoy** (file-based with optional SDS JSON config), **F5 BIG-IP** (proxy agent + iControl REST, transaction-based atomic SSL profile updates), **IIS** (dual-mode: agent-local PowerShell + proxy agent WinRM for agentless targets), **Postfix/Dovecot** (file write + service reload), **SSH** (agentless deployment via SSH/SFTP), **Windows Certificate Store** (PowerShell-based cert import, dual-mode local/WinRM), **Java Keystore** (PEM → PKCS#12 → keytool pipeline, JKS and PKCS12 formats).
+Built-in targets (14 connector types): **NGINX** (writes cert/chain/key files, validates with `nginx -t`, reloads), **Apache httpd** (writes cert/chain/key files, validates with `apachectl configtest`, graceful reload), **HAProxy** (combined PEM file with cert+chain+key, validates config, reloads via systemctl/signal), **Traefik** (file provider — writes cert/key to watched directory, Traefik auto-reloads), **Caddy** (dual-mode: admin API hot-reload or file-based), **Envoy** (file-based with optional SDS JSON config), **F5 BIG-IP** (proxy agent + iControl REST, transaction-based atomic SSL profile updates), **IIS** (dual-mode: agent-local PowerShell + proxy agent WinRM for agentless targets), **Postfix/Dovecot** (file write + service reload), **SSH** (agentless deployment via SSH/SFTP), **Windows Certificate Store** (PowerShell-based cert import, dual-mode local/WinRM), **Java Keystore** (PEM → PKCS#12 → keytool pipeline, JKS and PKCS12 formats), **Kubernetes Secrets** (deploys as `kubernetes.io/tls` Secrets via injectable K8sClient interface, in-cluster or kubeconfig auth).
 
 After deployment, agents can perform **post-deployment TLS verification**: the agent probes the live TLS endpoint using `crypto/tls.DialWithDialer` and compares the SHA-256 fingerprint of the served certificate against what was deployed. Results are reported via `POST /api/v1/jobs/{id}/verify` and stored on the job record. Verification is best-effort — failures don't block or rollback deployments.
 
-The SSH connector enables agentless deployment to any Linux/Unix server via SSH/SFTP, using the proxy agent pattern. Additional cloud, network, and Kubernetes target connectors are planned for future releases.
+The SSH connector enables agentless deployment to any Linux/Unix server via SSH/SFTP, using the proxy agent pattern. The Kubernetes Secrets connector deploys certificates as `kubernetes.io/tls` Secrets via an injectable K8sClient interface supporting both in-cluster and out-of-cluster auth.
 
 ### Notifier Connector
 
@@ -659,10 +669,50 @@ type ESTService interface {
 }
 ```
 
-**Issuer connector extension:** EST required adding `GetCACertPEM(ctx) (string, error)` to the issuer connector interface so the `/cacerts` endpoint can serve the CA chain. The Local CA connector returns its CA certificate PEM; ACME, step-ca, OpenSSL, Vault, and DigiCert connectors return errors (they don't expose a static CA chain — their chains are per-issuance).
+**Issuer connector extension:** EST required adding `GetCACertPEM(ctx) (string, error)` to the issuer connector interface so the `/cacerts` endpoint can serve the CA chain. The Local CA returns its CA certificate PEM; Vault PKI fetches via `GET /v1/{mount}/ca/pem`; Google CAS fetches via API; AWS ACM PCA retrieves via `GetCertificateAuthorityCertificate`. ACME, step-ca, OpenSSL, DigiCert, and Sectigo connectors return errors (they don't expose a static CA chain — their chains are per-issuance).
 
 **Audit:** Every EST enrollment is recorded in the audit trail with `protocol: "EST"`, the CN, SANs, issuer ID, serial number, and optional profile ID.
 
+### SCEP Server (RFC 8894)
+
+The SCEP (Simple Certificate Enrollment Protocol) server provides certificate enrollment for MDM platforms and network devices. It runs at `/scep` with operation-based dispatch via query parameters per RFC 8894.
+
+**Architecture:** SCEP follows the exact same layering as EST — a handler-level protocol that delegates certificate issuance to an existing `IssuerConnector`. The `SCEPService` bridges the `SCEPHandler` to whichever issuer connector is configured via `CERTCTL_SCEP_ISSUER_ID`.
+
+```
+Client (MDM, network device, SCEP client)
+    │
+    ▼
+SCEPHandler (handler layer)
+    │  PKCS#7 envelope parsing, CSR extraction, challenge password extraction
+    ▼
+SCEPService (service layer)
+    │  Challenge password validation, CSR validation, CN/SAN extraction, audit recording
+    ▼
+IssuerConnector (connector layer via IssuerConnectorAdapter)
+    │  Certificate signing (Local CA, step-ca, etc.)
+    ▼
+Signed certificate returned as PKCS#7 certs-only
+```
+
+**Wire format:** SCEP clients wrap CSRs in PKCS#7 SignedData envelopes. The handler parses the outer ASN.1 ContentInfo → SignedData → EncapsulatedContentInfo to extract the CSR bytes. Fallback paths handle base64-encoded PKCS#7 and raw CSR submissions (for simpler clients). Responses use PKCS#7 certs-only via the shared `internal/pkcs7` package (same as EST). Single certs are returned as raw DER for `GetCACert`, chains as PKCS#7.
+
+**Authentication:** SCEP uses challenge passwords embedded in CSR attributes (OID 1.2.840.113549.1.9.7) rather than TLS client certificates. The server validates the challenge password against `CERTCTL_SCEP_CHALLENGE_PASSWORD`. When no challenge password is configured, any value is accepted.
+
+**Interface:** The `SCEPHandler` defines an `SCEPService` interface (dependency inversion):
+
+```go
+type SCEPService interface {
+    GetCACaps(ctx context.Context) string
+    GetCACert(ctx context.Context) (string, error)
+    PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error)
+}
+```
+
+**Shared PKCS#7 package:** Both EST and SCEP handlers share a common `internal/pkcs7` package for building PKCS#7 certs-only responses and PEM-to-DER chain conversion, eliminating code duplication between the two enrollment protocols.
+
+**Audit:** Every SCEP enrollment is recorded in the audit trail with `protocol: "SCEP"`, the CN, SANs, issuer ID, serial number, transaction ID, and optional profile ID.
+
 ## Security Model
 
 ### Private Key Management
@@ -782,7 +832,7 @@ All endpoints are under `/api/v1/` and follow consistent patterns:
 
 Resources: certificates, issuers, targets, agents, jobs, policies, profiles, teams, owners, agent-groups, audit, notifications, discovered-certificates, discovery-scans, network-scan-targets, stats, metrics.
 
-The full API is documented in an OpenAPI 3.1 specification at `api/openapi.yaml` with 99 endpoints across 23 resource domains (97 under `/api/v1/` + `/.well-known/est/` plus `/health` and `/ready`; includes auth, 7 discovery endpoints from M18b, 6 network scan endpoints from M21, Prometheus metrics from M22, 4 EST enrollment endpoints from M23, 2 digest endpoints from M29), all request/response schemas, and pagination conventions. See the [OpenAPI Guide](openapi.md) for usage with Swagger UI and SDK generation.
+The full API is documented in an OpenAPI 3.1 specification at `api/openapi.yaml` with 97 operations across `/api/v1/` and `/.well-known/est/` (includes auth, 7 discovery endpoints, 6 network scan endpoints, Prometheus metrics, 4 EST enrollment endpoints, 2 digest endpoints, 2 verification endpoints, 2 export endpoints), all request/response schemas, and pagination conventions. The server also registers `/health` and `/ready` outside the OpenAPI spec, bringing the total route count to 107. See the [OpenAPI Guide](openapi.md) for usage with Swagger UI and SDK generation.
 
 Jobs support additional action endpoints: `POST /api/v1/jobs/{id}/cancel`, `POST /api/v1/jobs/{id}/approve`, `POST /api/v1/jobs/{id}/reject`.
 
@@ -978,13 +1028,13 @@ certctl is extensively tested across eight layers with CI-enforced coverage gate
 
 **Frontend tests** (`web/src/api/`) — Vitest tests covering the full API client (all endpoint functions with fetch mocking), stats/metrics endpoints, utility functions, and auth flows. Test environment uses jsdom with `@testing-library/jest-dom` matchers.
 
-**Connector tests** (`internal/connector/`) — Issuer connectors (Local CA self-signed/sub-CA modes, ACME DNS-01/DNS-PERSIST-01, step-ca, OpenSSL, Vault PKI, DigiCert, Sectigo, Google CAS — all with httptest mock servers). Target connectors (NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, IIS with mock PowerShell executor, F5 BIG-IP with mock iControl client, Postfix/Dovecot, SSH with mock SSH client). Notifier connectors (Slack, Teams, PagerDuty, OpsGenie).
+**Connector tests** (`internal/connector/`) — Issuer connectors (Local CA self-signed/sub-CA modes, ACME DNS-01/DNS-PERSIST-01, step-ca, OpenSSL, Vault PKI, DigiCert, Sectigo, Google CAS, AWS ACM PCA — all with httptest mock servers or injectable interface mocks). Target connectors (NGINX, Apache, HAProxy, Traefik, Caddy, Envoy, IIS with mock PowerShell executor, F5 BIG-IP with mock iControl client, Postfix/Dovecot, SSH with mock SSH client, Windows Certificate Store with mock PowerShell executor, Java Keystore with mock command executor, Kubernetes Secrets with mock K8s client, shared certutil package). Notifier connectors (Slack, Teams, PagerDuty, OpsGenie).
 
 **Scheduler tests** (`internal/scheduler/scheduler_test.go`) — Idempotency guards (`sync/atomic.Bool`), `WaitForCompletion` success and timeout paths, and multi-loop concurrency safety.
 
 **Fuzz tests** (`internal/validation/`, `internal/domain/`) — Go native fuzz tests for command validation (`ValidateShellCommand`, `ValidateDomainName`, `ValidateACMEToken`) and revocation domain parsing.
 
-**CI pipeline** (`.github/workflows/ci.yml`) — Two parallel jobs. Go: build, vet, `go test -race`, `golangci-lint` (11 linters), `govulncheck`, test with coverage, per-layer coverage threshold enforcement (service 60%, handler 60%, domain 40%, middleware 50%). Frontend: TypeScript type check, Vitest, Vite production build.
+**CI pipeline** (`.github/workflows/ci.yml`) — Two parallel jobs. Go: build, vet, `go test -race`, `golangci-lint` (11 linters), `govulncheck`, test with coverage, per-layer coverage threshold enforcement (service 55%, handler 60%, domain 40%, middleware 30%). Frontend: TypeScript type check, Vitest, Vite production build.
 
 For detailed test procedures, smoke tests, and the release sign-off checklist, see the [Testing Guide](testing-guide.md). For setting up the Docker Compose test environment with real CA backends, see [Test Environment](test-env.md).
 

docs/connectors.md

@@ -61,8 +61,8 @@ Connectors extend certctl to integrate with external systems for certificate iss
 
 Three types of connectors:
 
-1. **Issuer Connector** — Obtains certificates from CAs (Local CA with sub-CA support, ACME with HTTP-01 + DNS-01 + DNS-PERSIST-01, step-ca, OpenSSL/Custom CA, Vault PKI, DigiCert implemented; additional CA integrations planned)
-2. **Target Connector** — Deploys certificates to infrastructure (NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS, F5, SSH implemented; additional cloud and network targets planned)
+1. **Issuer Connector** — Obtains certificates from CAs. 9 built-in: Local CA (self-signed + sub-CA), ACME v2 (HTTP-01, DNS-01, DNS-PERSIST-01, ARI, EAB, profile selection), step-ca, OpenSSL/Custom CA, Vault PKI, DigiCert CertCentral, Sectigo SCM, Google CAS, AWS ACM Private CA
+2. **Target Connector** — Deploys certificates to infrastructure. 14 built-in: NGINX, Apache httpd, HAProxy, Traefik, Caddy, Envoy, Postfix, Dovecot, IIS (local + WinRM), F5 BIG-IP (proxy agent), SSH (agentless), Windows Certificate Store, Java Keystore, Kubernetes Secrets
 3. **Notifier Connector** — Sends alerts about certificate events (Email, Webhooks, Slack, Microsoft Teams, PagerDuty, OpsGenie implemented)
 
 All connectors accept JSON configuration at initialization, support config validation, and are registered in the service layer. Issuer connectors run on the control plane; target connectors run on agents. For network appliances where agents can't be installed, a **proxy agent** in the same network zone handles deployment — the server never initiates outbound connections.
@@ -314,16 +314,16 @@ Each issuer handles revocation differently:
 - **step-ca**: Calls step-ca's `/revoke` API endpoint. Clients should check step-ca's own CRL/OCSP for authoritative status.
 - **OpenSSL/Custom CA**: Invokes the configured revoke script (`CERTCTL_OPENSSL_REVOKE_SCRIPT`) with the serial number as an argument.
 
-### EST Integration (GetCACertPEM)
+### EST/SCEP Integration (GetCACertPEM)
 
-The `GetCACertPEM()` method returns the PEM-encoded CA certificate chain, used by the EST server's `/.well-known/est/cacerts` endpoint (RFC 7030) to distribute the CA chain to enrolling devices. Each issuer handles this differently:
+The `GetCACertPEM()` method returns the PEM-encoded CA certificate chain, used by both the EST server's `/.well-known/est/cacerts` endpoint (RFC 7030) and the SCEP server's `GetCACert` operation (RFC 8894) to distribute the CA chain to enrolling devices. Each issuer handles this differently:
 
-- **Local CA**: Returns the CA certificate PEM (self-signed or sub-CA cert). This is the primary EST issuer.
+- **Local CA**: Returns the CA certificate PEM (self-signed or sub-CA cert). This is the primary EST/SCEP issuer.
 - **ACME**: Returns error — ACME CAs provide chains per-issuance, not statically.
 - **step-ca**: Returns error — step-ca serves its own `/root` endpoint for CA distribution.
 - **OpenSSL/Custom CA**: Returns error — custom script-based CAs have no CA cert access through certctl.
 
-Note: EST (Enrollment over Secure Transport) is not a connector — it's a protocol handler (`internal/api/handler/est.go`) that delegates certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID`. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
+Note: EST and SCEP are not connectors — they are protocol handlers (`internal/api/handler/est.go` and `internal/api/handler/scep.go`) that delegate certificate issuance to whichever issuer connector is configured via `CERTCTL_EST_ISSUER_ID` or `CERTCTL_SCEP_ISSUER_ID`. Both share a common `internal/pkcs7` package for PKCS#7 response encoding. See the [Architecture Guide](architecture.md#est-server-rfc-7030) for details.
 
 ### Built-in: Vault PKI
 
@@ -428,18 +428,19 @@ AWS Certificate Manager Private Certificate Authority — managed private CA on
 
 Location: `internal/connector/issuer/awsacmpca/awsacmpca.go`
 
-### Coming in V2.2+
+### Planned Issuers
 
 The following issuer connectors are planned for future releases:
 
-- **Entrust** — Enterprise CA via Entrust API
-- **AWS ACM Private CA** — AWS-managed private CA
+- **Entrust** — Enterprise CA via Entrust Certificate Services mTLS API
+- **GlobalSign** — GlobalSign Atlas HVCA REST API with mTLS + API key auth
+- **EJBCA** — Keyfactor EJBCA REST API with mTLS or OAuth2 auth
 
 Note: ADCS (Active Directory Certificate Services) integration is handled via the **sub-CA mode** of the Local CA issuer, not as a separate connector. certctl operates as a subordinate CA with its signing certificate issued by ADCS, so all certctl-issued certs chain to the enterprise ADCS root. See the Local CA section above.
 
 ### Building a Custom Issuer
 
-Here's the structure for a HashiCorp Vault PKI issuer:
+Here's a simplified example showing the connector pattern (using a hypothetical Vault-like CA):
 
 ```go
 package vault
@@ -962,9 +963,7 @@ The Java Keystore connector deploys certificates to JKS or PKCS#12 keystores via
 
 Location: `internal/connector/target/javakeystore/javakeystore.go`
 
-### Kubernetes Secrets (Coming in 2.1)
-
-> **Status:** Config validation, tests, UI, and Helm RBAC are implemented. The Kubernetes API client (`k8s.io/client-go`) integration is not yet wired — runtime deployment will be available in v2.1.0.
+### Kubernetes Secrets
 
 The Kubernetes Secrets connector deploys certificates as `kubernetes.io/tls` Secrets, compatible with Ingress controllers (nginx-ingress, Traefik, HAProxy), service meshes (Istio, Linkerd), and any Kubernetes workload that reads TLS Secrets.
 

internal/api/handler/est.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/shankar0123/certctl/internal/api/middleware"
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/pkcs7"
 )
 
 // ESTService defines the service interface for EST enrollment operations.
@@ -67,7 +68,7 @@ func (h ESTHandler) CACerts(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Parse PEM to DER for PKCS#7 encoding
-	derCerts, err := pemToDERChain(caCertPEM)
+	derCerts, err := pkcs7.PEMToDERChain(caCertPEM)
 	if err != nil {
 		requestID := middleware.GetRequestID(r.Context())
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to encode CA certificates", requestID)
@@ -75,7 +76,7 @@ func (h ESTHandler) CACerts(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Build a simple PKCS#7 SignedData (certs-only, degenerate) structure
-	pkcs7Data, err := buildCertsOnlyPKCS7(derCerts)
+	pkcs7Data, err := pkcs7.BuildCertsOnlyPKCS7(derCerts)
 	if err != nil {
 		requestID := middleware.GetRequestID(r.Context())
 		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to build PKCS#7 response", requestID)
@@ -237,7 +238,7 @@ func (h ESTHandler) writeCertResponse(w http.ResponseWriter, result *domain.ESTE
 	var derCerts [][]byte
 
 	// Add the issued certificate
-	certDER, err := pemToDERChain(result.CertPEM)
+	certDER, err := pkcs7.PEMToDERChain(result.CertPEM)
 	if err != nil || len(certDER) == 0 {
 		http.Error(w, "Failed to encode certificate", http.StatusInternalServerError)
 		return
@@ -246,14 +247,14 @@ func (h ESTHandler) writeCertResponse(w http.ResponseWriter, result *domain.ESTE
 
 	// Add the CA chain if present
 	if result.ChainPEM != "" {
-		chainDER, err := pemToDERChain(result.ChainPEM)
+		chainDER, err := pkcs7.PEMToDERChain(result.ChainPEM)
 		if err == nil {
 			derCerts = append(derCerts, chainDER...)
 		}
 	}
 
 	// Build PKCS#7 certs-only
-	pkcs7Data, err := buildCertsOnlyPKCS7(derCerts)
+	pkcs7Data, err := pkcs7.BuildCertsOnlyPKCS7(derCerts)
 	if err != nil {
 		http.Error(w, "Failed to build PKCS#7 response", http.StatusInternalServerError)
 		return
@@ -273,132 +274,5 @@ func (h ESTHandler) writeCertResponse(w http.ResponseWriter, result *domain.ESTE
 	}
 }
 
-// pemToDERChain converts PEM-encoded certificates to a slice of DER-encoded certificates.
-func pemToDERChain(pemData string) ([][]byte, error) {
-	var derCerts [][]byte
-	rest := []byte(pemData)
-	for {
-		var block *pem.Block
-		block, rest = pem.Decode(rest)
-		if block == nil {
-			break
-		}
-		if block.Type == "CERTIFICATE" {
-			derCerts = append(derCerts, block.Bytes)
-		}
-	}
-	if len(derCerts) == 0 {
-		return nil, fmt.Errorf("no certificates found in PEM data")
-	}
-	return derCerts, nil
-}
-
-// buildCertsOnlyPKCS7 creates a degenerate PKCS#7 SignedData structure containing only certificates.
-// This is the "certs-only" format specified in RFC 7030 Section 4.1.3 for /cacerts responses
-// and enrollment responses.
-//
-// ASN.1 structure (simplified):
-//
-//	ContentInfo {
-//	  contentType: signedData (1.2.840.113549.1.7.2)
-//	  content: SignedData {
-//	    version: 1
-//	    digestAlgorithms: {} (empty)
-//	    encapContentInfo: { contentType: data (1.2.840.113549.1.7.1) }
-//	    certificates: [cert1, cert2, ...]
-//	    signerInfos: {} (empty)
-//	  }
-//	}
-func buildCertsOnlyPKCS7(derCerts [][]byte) ([]byte, error) {
-	// We build the ASN.1 manually to avoid pulling in a PKCS#7 library.
-	// This is a well-defined, static structure — no signing needed.
-
-	// OID for signedData: 1.2.840.113549.1.7.2
-	oidSignedData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
-	// OID for data: 1.2.840.113549.1.7.1
-	oidData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
-
-	// Build certificates [0] IMPLICIT SET OF Certificate
-	var certsContent []byte
-	for _, cert := range derCerts {
-		certsContent = append(certsContent, cert...)
-	}
-	certsField := asn1WrapImplicit(0, certsContent)
-
-	// Build encapContentInfo: SEQUENCE { OID data }
-	encapContentInfo := asn1WrapSequence(oidData)
-
-	// Build digestAlgorithms: SET {} (empty)
-	digestAlgorithms := asn1WrapSet(nil)
-
-	// Build signerInfos: SET {} (empty)
-	signerInfos := asn1WrapSet(nil)
-
-	// Version: INTEGER 1
-	version := []byte{0x02, 0x01, 0x01}
-
-	// Build SignedData SEQUENCE
-	var signedDataContent []byte
-	signedDataContent = append(signedDataContent, version...)
-	signedDataContent = append(signedDataContent, digestAlgorithms...)
-	signedDataContent = append(signedDataContent, encapContentInfo...)
-	signedDataContent = append(signedDataContent, certsField...)
-	signedDataContent = append(signedDataContent, signerInfos...)
-	signedData := asn1WrapSequence(signedDataContent)
-
-	// Wrap in [0] EXPLICIT for ContentInfo.content
-	contentField := asn1WrapExplicit(0, signedData)
-
-	// Build ContentInfo SEQUENCE
-	var contentInfoContent []byte
-	contentInfoContent = append(contentInfoContent, oidSignedData...)
-	contentInfoContent = append(contentInfoContent, contentField...)
-	contentInfo := asn1WrapSequence(contentInfoContent)
-
-	return contentInfo, nil
-}
-
-// asn1WrapSequence wraps content in an ASN.1 SEQUENCE tag (0x30).
-func asn1WrapSequence(content []byte) []byte {
-	return asn1Wrap(0x30, content)
-}
-
-// asn1WrapSet wraps content in an ASN.1 SET tag (0x31).
-func asn1WrapSet(content []byte) []byte {
-	return asn1Wrap(0x31, content)
-}
-
-// asn1WrapExplicit wraps content in an ASN.1 context-specific EXPLICIT tag.
-func asn1WrapExplicit(tag int, content []byte) []byte {
-	return asn1Wrap(byte(0xa0|tag), content)
-}
-
-// asn1WrapImplicit wraps content in an ASN.1 context-specific IMPLICIT CONSTRUCTED tag.
-func asn1WrapImplicit(tag int, content []byte) []byte {
-	return asn1Wrap(byte(0xa0|tag), content)
-}
-
-// asn1Wrap wraps content with an ASN.1 tag and length.
-func asn1Wrap(tag byte, content []byte) []byte {
-	length := len(content)
-	var result []byte
-	result = append(result, tag)
-	result = append(result, asn1EncodeLength(length)...)
-	result = append(result, content...)
-	return result
-}
-
-// asn1EncodeLength encodes a length in ASN.1 DER format.
-func asn1EncodeLength(length int) []byte {
-	if length < 0x80 {
-		return []byte{byte(length)}
-	}
-	// Long form
-	var lengthBytes []byte
-	l := length
-	for l > 0 {
-		lengthBytes = append([]byte{byte(l & 0xff)}, lengthBytes...)
-		l >>= 8
-	}
-	return append([]byte{byte(0x80 | len(lengthBytes))}, lengthBytes...)
-}
+// NOTE: PKCS#7 helpers (BuildCertsOnlyPKCS7, PEMToDERChain, ASN.1 wrappers)
+// are in the shared internal/pkcs7 package, used by both EST and SCEP handlers.

internal/api/handler/est_handler_test.go

@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/pkcs7"
 )
 
 // mockESTService implements ESTService for testing.
@@ -338,12 +339,12 @@ func TestESTCSRAttrs_MethodNotAllowed(t *testing.T) {
 	}
 }
 
-func TestBuildCertsOnlyPKCS7(t *testing.T) {
-	// Test with a dummy DER certificate
+func TestBuildCertsOnlyPKCS7_ViaSharedPackage(t *testing.T) {
+	// Test with a dummy DER certificate via shared pkcs7 package
 	dummyCert := []byte{0x30, 0x82, 0x01, 0x00} // minimal ASN.1 SEQUENCE
-	result, err := buildCertsOnlyPKCS7([][]byte{dummyCert})
+	result, err := pkcs7.BuildCertsOnlyPKCS7([][]byte{dummyCert})
 	if err != nil {
-		t.Fatalf("buildCertsOnlyPKCS7 failed: %v", err)
+		t.Fatalf("BuildCertsOnlyPKCS7 failed: %v", err)
 	}
 	if len(result) == 0 {
 		t.Error("expected non-empty PKCS#7 output")
@@ -354,49 +355,24 @@ func TestBuildCertsOnlyPKCS7(t *testing.T) {
 	}
 }
 
-func TestPemToDERChain(t *testing.T) {
+func TestPemToDERChain_ViaSharedPackage(t *testing.T) {
 	pemData := generateTestCertPEM(t)
-	certs, err := pemToDERChain(pemData)
+	certs, err := pkcs7.PEMToDERChain(pemData)
 	if err != nil {
-		t.Fatalf("pemToDERChain failed: %v", err)
+		t.Fatalf("PEMToDERChain failed: %v", err)
 	}
 	if len(certs) != 1 {
 		t.Errorf("expected 1 cert, got %d", len(certs))
 	}
 }
 
-func TestPemToDERChain_NoCerts(t *testing.T) {
-	_, err := pemToDERChain("not a PEM")
+func TestPemToDERChain_NoCerts_ViaSharedPackage(t *testing.T) {
+	_, err := pkcs7.PEMToDERChain("not a PEM")
 	if err == nil {
 		t.Error("expected error for invalid PEM")
 	}
 }
 
-func TestASN1EncodeLength(t *testing.T) {
-	tests := []struct {
-		length   int
-		expected []byte
-	}{
-		{0, []byte{0x00}},
-		{1, []byte{0x01}},
-		{127, []byte{0x7f}},
-		{128, []byte{0x81, 0x80}},
-		{256, []byte{0x82, 0x01, 0x00}},
-	}
-	for _, tt := range tests {
-		result := asn1EncodeLength(tt.length)
-		if len(result) != len(tt.expected) {
-			t.Errorf("asn1EncodeLength(%d): expected %d bytes, got %d", tt.length, len(tt.expected), len(result))
-			continue
-		}
-		for i := range result {
-			if result[i] != tt.expected[i] {
-				t.Errorf("asn1EncodeLength(%d): byte %d: expected 0x%02x, got 0x%02x", tt.length, i, tt.expected[i], result[i])
-			}
-		}
-	}
-}
-
 func TestESTCSRAttrs_ServiceError(t *testing.T) {
 	svc := &mockESTService{
 		CSRAttrsErr: errors.New("service error"),

internal/api/handler/scep.go

@@ -0,0 +1,353 @@
+package handler
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/asn1"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+
+	"github.com/shankar0123/certctl/internal/api/middleware"
+	"github.com/shankar0123/certctl/internal/domain"
+	"github.com/shankar0123/certctl/internal/pkcs7"
+)
+
+// SCEPService defines the service interface for SCEP enrollment operations.
+// SCEP (RFC 8894) is a protocol for certificate enrollment used by MDM platforms
+// and network devices.
+type SCEPService interface {
+	// GetCACaps returns the SCEP server capabilities as a newline-separated string.
+	GetCACaps(ctx context.Context) string
+
+	// GetCACert returns the PEM-encoded CA certificate chain.
+	GetCACert(ctx context.Context) (string, error)
+
+	// PKCSReq processes a PKCS#10 CSR and returns a signed certificate.
+	PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error)
+}
+
+// SCEPHandler handles HTTP requests for the SCEP protocol (RFC 8894).
+//
+// SCEP uses a single endpoint with operation-based dispatch via query parameters.
+// All operations use GET or POST to the same path.
+//
+// Supported operations:
+//   - GET  ?operation=GetCACaps    — server capabilities
+//   - GET  ?operation=GetCACert    — CA certificate distribution
+//   - POST ?operation=PKIOperation — certificate enrollment (PKCSReq)
+type SCEPHandler struct {
+	svc SCEPService
+}
+
+// NewSCEPHandler creates a new SCEPHandler.
+func NewSCEPHandler(svc SCEPService) SCEPHandler {
+	return SCEPHandler{svc: svc}
+}
+
+// HandleSCEP is the single entry point for all SCEP operations.
+// It dispatches based on the "operation" query parameter.
+func (h SCEPHandler) HandleSCEP(w http.ResponseWriter, r *http.Request) {
+	operation := r.URL.Query().Get("operation")
+
+	switch operation {
+	case "GetCACaps":
+		h.getCACaps(w, r)
+	case "GetCACert":
+		h.getCACert(w, r)
+	case "PKIOperation":
+		h.pkiOperation(w, r)
+	default:
+		http.Error(w, fmt.Sprintf("Unknown SCEP operation: %s", operation), http.StatusBadRequest)
+	}
+}
+
+// getCACaps handles GET ?operation=GetCACaps
+// Returns the SCEP server capabilities as plaintext, one per line.
+func (h SCEPHandler) getCACaps(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	caps := h.svc.GetCACaps(r.Context())
+	w.Header().Set("Content-Type", "text/plain")
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(caps))
+}
+
+// getCACert handles GET ?operation=GetCACert
+// Returns the CA certificate(s). Single cert as DER, chain as PKCS#7.
+func (h SCEPHandler) getCACert(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	caCertPEM, err := h.svc.GetCACert(r.Context())
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Failed to get CA certificate: %v", err), requestID)
+		return
+	}
+
+	// Parse PEM to DER chain
+	derCerts, err := pkcs7.PEMToDERChain(caCertPEM)
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to parse CA certificates", requestID)
+		return
+	}
+
+	if len(derCerts) == 1 {
+		// Single CA cert — return as raw DER
+		w.Header().Set("Content-Type", "application/x-x509-ca-cert")
+		w.WriteHeader(http.StatusOK)
+		w.Write(derCerts[0])
+		return
+	}
+
+	// Multiple certs (CA + RA or chain) — return as PKCS#7
+	pkcs7Data, err := pkcs7.BuildCertsOnlyPKCS7(derCerts)
+	if err != nil {
+		requestID := middleware.GetRequestID(r.Context())
+		ErrorWithRequestID(w, http.StatusInternalServerError, "Failed to build PKCS#7 response", requestID)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/x-x509-ca-ra-cert")
+	w.WriteHeader(http.StatusOK)
+	w.Write(pkcs7Data)
+}
+
+// pkiOperation handles POST ?operation=PKIOperation
+// Processes a SCEP enrollment request containing a PKCS#7-wrapped CSR.
+func (h SCEPHandler) pkiOperation(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	requestID := middleware.GetRequestID(r.Context())
+
+	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20)) // 1MB limit
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Failed to read request body", requestID)
+		return
+	}
+	defer r.Body.Close()
+
+	if len(body) == 0 {
+		ErrorWithRequestID(w, http.StatusBadRequest, "Empty request body", requestID)
+		return
+	}
+
+	// Extract the PKCS#10 CSR from the PKCS#7 SignedData envelope
+	csrDER, challengePassword, transactionID, err := extractCSRFromPKCS7(body)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid SCEP message: %v", err), requestID)
+		return
+	}
+
+	// Validate the CSR
+	csr, err := x509.ParseCertificateRequest(csrDER)
+	if err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("Invalid CSR: %v", err), requestID)
+		return
+	}
+	if err := csr.CheckSignature(); err != nil {
+		ErrorWithRequestID(w, http.StatusBadRequest, fmt.Sprintf("CSR signature invalid: %v", err), requestID)
+		return
+	}
+
+	// Convert DER CSR to PEM for the service layer
+	csrPEM := string(pem.EncodeToMemory(&pem.Block{
+		Type:  "CERTIFICATE REQUEST",
+		Bytes: csrDER,
+	}))
+
+	result, err := h.svc.PKCSReq(r.Context(), csrPEM, challengePassword, transactionID)
+	if err != nil {
+		if strings.Contains(err.Error(), "challenge password") {
+			ErrorWithRequestID(w, http.StatusForbidden, "Invalid challenge password", requestID)
+			return
+		}
+		ErrorWithRequestID(w, http.StatusInternalServerError, fmt.Sprintf("Enrollment failed: %v", err), requestID)
+		return
+	}
+
+	// Build response: issued cert wrapped in PKCS#7 certs-only
+	h.writeSCEPResponse(w, result)
+}
+
+// writeSCEPResponse writes a SCEP enrollment response as PKCS#7 certs-only (DER).
+func (h SCEPHandler) writeSCEPResponse(w http.ResponseWriter, result *domain.SCEPEnrollResult) {
+	var derCerts [][]byte
+
+	certDER, err := pkcs7.PEMToDERChain(result.CertPEM)
+	if err != nil || len(certDER) == 0 {
+		http.Error(w, "Failed to encode certificate", http.StatusInternalServerError)
+		return
+	}
+	derCerts = append(derCerts, certDER...)
+
+	if result.ChainPEM != "" {
+		chainDER, err := pkcs7.PEMToDERChain(result.ChainPEM)
+		if err == nil {
+			derCerts = append(derCerts, chainDER...)
+		}
+	}
+
+	pkcs7Data, err := pkcs7.BuildCertsOnlyPKCS7(derCerts)
+	if err != nil {
+		http.Error(w, "Failed to build PKCS#7 response", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/x-pki-message")
+	w.WriteHeader(http.StatusOK)
+	w.Write(pkcs7Data)
+}
+
+// extractCSRFromPKCS7 extracts a PKCS#10 CSR from a SCEP PKCS#7 SignedData envelope.
+//
+// SCEP clients wrap the CSR in a PKCS#7 SignedData structure. For the MVP, we parse
+// the outer ASN.1 structure to find the encapsulated content (the CSR bytes), and
+// extract the challenge password from the CSR attributes.
+//
+// Returns: csrDER, challengePassword, transactionID, error
+func extractCSRFromPKCS7(data []byte) ([]byte, string, string, error) {
+	// Try to decode as PKCS#7 SignedData
+	csrDER, err := parseSignedDataForCSR(data)
+	if err != nil {
+		// Fallback: some clients send the CSR directly (not wrapped in PKCS#7)
+		// or send base64-encoded data
+		decoded, decErr := base64.StdEncoding.DecodeString(strings.TrimSpace(string(data)))
+		if decErr == nil {
+			// Try the decoded data as PKCS#7
+			csrDER2, err2 := parseSignedDataForCSR(decoded)
+			if err2 == nil {
+				return extractCSRFields(csrDER2)
+			}
+			// Maybe the decoded data IS the CSR directly
+			if _, parseErr := x509.ParseCertificateRequest(decoded); parseErr == nil {
+				return extractCSRFields(decoded)
+			}
+		}
+		// Maybe the raw data IS the CSR directly (no PKCS#7 wrapping)
+		if _, parseErr := x509.ParseCertificateRequest(data); parseErr == nil {
+			return extractCSRFields(data)
+		}
+		return nil, "", "", fmt.Errorf("failed to extract CSR from PKCS#7: %w", err)
+	}
+	return extractCSRFields(csrDER)
+}
+
+// extractCSRFields extracts the challenge password and transaction ID from CSR attributes.
+func extractCSRFields(csrDER []byte) ([]byte, string, string, error) {
+	csr, err := x509.ParseCertificateRequest(csrDER)
+	if err != nil {
+		return nil, "", "", fmt.Errorf("invalid CSR: %w", err)
+	}
+
+	challengePassword := ""
+	transactionID := ""
+
+	// OID for challengePassword: 1.2.840.113549.1.9.7
+	oidChallengePassword := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 7}
+
+	// Extract challenge password from parsed CSR attributes.
+	// Attributes is []pkix.AttributeTypeAndValueSET where each has Type (OID)
+	// and Value ([][]pkix.AttributeTypeAndValue). The challenge password value
+	// is stored as a string in the inner AttributeTypeAndValue.Value field.
+	for _, attr := range csr.Attributes {
+		if attr.Type.Equal(oidChallengePassword) {
+			if len(attr.Value) > 0 && len(attr.Value[0]) > 0 {
+				if pwd, ok := attr.Value[0][0].Value.(string); ok {
+					challengePassword = pwd
+				}
+			}
+		}
+	}
+
+	// Use CN as fallback transaction ID if not found in attributes
+	if transactionID == "" && csr.Subject.CommonName != "" {
+		transactionID = csr.Subject.CommonName
+	}
+
+	return csrDER, challengePassword, transactionID, nil
+}
+
+// pkcs7ContentInfo represents the outer ContentInfo structure.
+type pkcs7ContentInfo struct {
+	ContentType asn1.ObjectIdentifier
+	Content     asn1.RawValue `asn1:"explicit,tag:0"`
+}
+
+// pkcs7SignedData represents a simplified SignedData structure for CSR extraction.
+type pkcs7SignedData struct {
+	Version          int
+	DigestAlgorithms asn1.RawValue
+	EncapContentInfo asn1.RawValue
+}
+
+// pkcs7EncapContent represents the EncapsulatedContentInfo.
+type pkcs7EncapContent struct {
+	ContentType asn1.ObjectIdentifier
+	Content     asn1.RawValue `asn1:"explicit,optional,tag:0"`
+}
+
+// parseSignedDataForCSR extracts the encapsulated content (CSR) from PKCS#7 SignedData.
+func parseSignedDataForCSR(data []byte) ([]byte, error) {
+	var contentInfo pkcs7ContentInfo
+	rest, err := asn1.Unmarshal(data, &contentInfo)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse ContentInfo: %w", err)
+	}
+	if len(rest) > 0 {
+		// Trailing data is OK for some implementations
+	}
+
+	// OID for signedData: 1.2.840.113549.1.7.2
+	oidSignedData := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 7, 2}
+	if !contentInfo.ContentType.Equal(oidSignedData) {
+		return nil, fmt.Errorf("not SignedData: got OID %v", contentInfo.ContentType)
+	}
+
+	// Parse the SignedData
+	var signedData pkcs7SignedData
+	_, err = asn1.Unmarshal(contentInfo.Content.Bytes, &signedData)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse SignedData: %w", err)
+	}
+
+	// Parse the EncapsulatedContentInfo to get the CSR
+	var encapContent pkcs7EncapContent
+	_, err = asn1.Unmarshal(signedData.EncapContentInfo.FullBytes, &encapContent)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse EncapsulatedContentInfo: %w", err)
+	}
+
+	if len(encapContent.Content.Bytes) == 0 {
+		return nil, fmt.Errorf("empty encapsulated content")
+	}
+
+	// The content may be wrapped in an OCTET STRING
+	var csrBytes []byte
+	var octetString asn1.RawValue
+	if _, err := asn1.Unmarshal(encapContent.Content.Bytes, &octetString); err == nil && octetString.Tag == asn1.TagOctetString {
+		csrBytes = octetString.Bytes
+	} else {
+		csrBytes = encapContent.Content.Bytes
+	}
+
+	// Validate it's a parseable CSR
+	if _, err := x509.ParseCertificateRequest(csrBytes); err != nil {
+		return nil, fmt.Errorf("extracted content is not a valid CSR: %w", err)
+	}
+
+	return csrBytes, nil
+}

internal/api/handler/scep_handler_test.go

@@ -0,0 +1,262 @@
+package handler
+
+import (
+	"context"
+	"encoding/pem"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// mockSCEPService implements SCEPService for testing.
+type mockSCEPService struct {
+	CACaps       string
+	CACertPEM    string
+	CACertErr    error
+	EnrollResult *domain.SCEPEnrollResult
+	EnrollErr    error
+}
+
+func (m *mockSCEPService) GetCACaps(ctx context.Context) string {
+	if m.CACaps != "" {
+		return m.CACaps
+	}
+	return "POSTPKIOperation\nSHA-256\nAES\nSCEPStandard\n"
+}
+
+func (m *mockSCEPService) GetCACert(ctx context.Context) (string, error) {
+	return m.CACertPEM, m.CACertErr
+}
+
+func (m *mockSCEPService) PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error) {
+	return m.EnrollResult, m.EnrollErr
+}
+
+func TestSCEP_GetCACaps_Success(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/scep?operation=GetCACaps", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	ct := w.Header().Get("Content-Type")
+	if ct != "text/plain" {
+		t.Errorf("expected text/plain, got %s", ct)
+	}
+	body := w.Body.String()
+	if !strings.Contains(body, "POSTPKIOperation") {
+		t.Errorf("expected POSTPKIOperation in response, got: %s", body)
+	}
+	if !strings.Contains(body, "SHA-256") {
+		t.Errorf("expected SHA-256 in response, got: %s", body)
+	}
+}
+
+func TestSCEP_GetCACaps_MethodNotAllowed(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=GetCACaps", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestSCEP_GetCACert_Success_SingleCert(t *testing.T) {
+	certPEM := generateTestCertPEM(t)
+	svc := &mockSCEPService{
+		CACertPEM: certPEM,
+	}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/scep?operation=GetCACert", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	ct := w.Header().Get("Content-Type")
+	if ct != "application/x-x509-ca-cert" {
+		t.Errorf("expected application/x-x509-ca-cert, got %s", ct)
+	}
+	if w.Body.Len() == 0 {
+		t.Error("expected non-empty body")
+	}
+}
+
+func TestSCEP_GetCACert_MethodNotAllowed(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=GetCACert", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestSCEP_GetCACert_ServiceError(t *testing.T) {
+	svc := &mockSCEPService{
+		CACertErr: errors.New("CA unavailable"),
+	}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/scep?operation=GetCACert", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d", w.Code)
+	}
+}
+
+func TestSCEP_PKIOperation_MethodNotAllowed(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/scep?operation=PKIOperation", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusMethodNotAllowed {
+		t.Errorf("expected 405, got %d", w.Code)
+	}
+}
+
+func TestSCEP_PKIOperation_EmptyBody(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=PKIOperation", strings.NewReader(""))
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestSCEP_PKIOperation_InvalidBody(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=PKIOperation", strings.NewReader("not-valid-asn1-or-csr"))
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestSCEP_PKIOperation_ServiceError(t *testing.T) {
+	svc := &mockSCEPService{
+		EnrollErr: errors.New("enrollment failed"),
+	}
+	h := NewSCEPHandler(svc)
+
+	// Generate a valid raw CSR DER to send as body (fallback path)
+	csrPEM := generateTestCSRPEM(t)
+	block, _ := pem.Decode([]byte(csrPEM))
+	if block == nil {
+		t.Fatal("failed to decode CSR PEM")
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=PKIOperation", strings.NewReader(string(block.Bytes)))
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusInternalServerError {
+		t.Errorf("expected 500, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestSCEP_PKIOperation_Success_RawCSR(t *testing.T) {
+	certPEM := generateTestCertPEM(t)
+	svc := &mockSCEPService{
+		EnrollResult: &domain.SCEPEnrollResult{
+			CertPEM:  certPEM,
+			ChainPEM: "",
+		},
+	}
+	h := NewSCEPHandler(svc)
+
+	csrPEM := generateTestCSRPEM(t)
+	block, _ := pem.Decode([]byte(csrPEM))
+	if block == nil {
+		t.Fatal("failed to decode CSR PEM")
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=PKIOperation", strings.NewReader(string(block.Bytes)))
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d: %s", w.Code, w.Body.String())
+	}
+	ct := w.Header().Get("Content-Type")
+	if ct != "application/x-pki-message" {
+		t.Errorf("expected application/x-pki-message, got %s", ct)
+	}
+}
+
+func TestSCEP_PKIOperation_ChallengePasswordRejected(t *testing.T) {
+	svc := &mockSCEPService{
+		EnrollErr: errors.New("invalid challenge password"),
+	}
+	h := NewSCEPHandler(svc)
+
+	csrPEM := generateTestCSRPEM(t)
+	block, _ := pem.Decode([]byte(csrPEM))
+	if block == nil {
+		t.Fatal("failed to decode CSR PEM")
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/scep?operation=PKIOperation", strings.NewReader(string(block.Bytes)))
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusForbidden {
+		t.Errorf("expected 403, got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestSCEP_UnknownOperation(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/scep?operation=UnknownOp", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}
+
+func TestSCEP_MissingOperation(t *testing.T) {
+	svc := &mockSCEPService{}
+	h := NewSCEPHandler(svc)
+
+	req := httptest.NewRequest(http.MethodGet, "/scep", nil)
+	w := httptest.NewRecorder()
+	h.HandleSCEP(w, req)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400, got %d", w.Code)
+	}
+}

internal/api/router/router.go

@@ -238,6 +238,15 @@ func (r *Router) RegisterESTHandlers(est handler.ESTHandler) {
 	r.Register("GET /.well-known/est/csrattrs", http.HandlerFunc(est.CSRAttrs))
 }
 
+// RegisterSCEPHandlers sets up SCEP (RFC 8894) routes.
+// SCEP uses a single endpoint with operation-based dispatch via query parameters.
+// Authentication is via challenge password in the CSR, not TLS client certs or API keys.
+func (r *Router) RegisterSCEPHandlers(scep handler.SCEPHandler) {
+	// SCEP uses a single path; the handler dispatches on ?operation= query param
+	r.Register("GET /scep", http.HandlerFunc(scep.HandleSCEP))
+	r.Register("POST /scep", http.HandlerFunc(scep.HandleSCEP))
+}
+
 // GetMux returns the underlying http.ServeMux for direct access if needed.
 func (r *Router) GetMux() *http.ServeMux {
 	return r.mux

internal/config/config.go

@@ -23,6 +23,7 @@ type Config struct {
 	Notifiers    NotifierConfig
 	NetworkScan  NetworkScanConfig
 	EST          ESTConfig
+	SCEP         SCEPConfig
 	Verification VerificationConfig
 	ACME         ACMEConfig
 	Vault        VaultConfig
@@ -417,6 +418,26 @@ type ESTConfig struct {
 	ProfileID string
 }
 
+// SCEPConfig controls the RFC 8894 Simple Certificate Enrollment Protocol server.
+type SCEPConfig struct {
+	// Enabled controls whether SCEP endpoints are available for device enrollment.
+	// Default: false (SCEP disabled). Set to true to enable SCEP endpoints under /scep/.
+	Enabled bool
+
+	// IssuerID selects which issuer connector processes SCEP certificate requests.
+	// Default: "iss-local". Must reference a configured issuer.
+	IssuerID string
+
+	// ProfileID optionally constrains SCEP enrollments to a specific certificate profile.
+	// Leave empty to allow SCEP to use any configured issuer's defaults.
+	ProfileID string
+
+	// ChallengePassword is the shared secret used to authenticate SCEP enrollment requests.
+	// Clients include this in the PKCS#10 CSR challengePassword attribute.
+	// Required when SCEP is enabled.
+	ChallengePassword string
+}
+
 // NetworkScanConfig controls the server-side active TLS scanner.
 type NetworkScanConfig struct {
 	Enabled      bool          // Enable network scanning (default false)
@@ -594,6 +615,12 @@ func Load() (*Config, error) {
 			IssuerID:  getEnv("CERTCTL_EST_ISSUER_ID", "iss-local"),
 			ProfileID: getEnv("CERTCTL_EST_PROFILE_ID", ""),
 		},
+		SCEP: SCEPConfig{
+			Enabled:           getEnvBool("CERTCTL_SCEP_ENABLED", false),
+			IssuerID:          getEnv("CERTCTL_SCEP_ISSUER_ID", "iss-local"),
+			ProfileID:         getEnv("CERTCTL_SCEP_PROFILE_ID", ""),
+			ChallengePassword: getEnv("CERTCTL_SCEP_CHALLENGE_PASSWORD", ""),
+		},
 		Verification: VerificationConfig{
 			Enabled: getEnvBool("CERTCTL_VERIFY_DEPLOYMENT", true),
 			Timeout: getEnvDuration("CERTCTL_VERIFY_TIMEOUT", 10*time.Second),

internal/domain/scep.go

@@ -0,0 +1,40 @@
+package domain
+
+// SCEPEnrollResult holds the result of a SCEP (RFC 8894) enrollment operation.
+type SCEPEnrollResult struct {
+	CertPEM  string `json:"cert_pem"`  // PEM-encoded signed certificate
+	ChainPEM string `json:"chain_pem"` // PEM-encoded CA chain
+}
+
+// SCEPMessageType identifies the type of SCEP PKI message.
+type SCEPMessageType int
+
+const (
+	// SCEPMessageTypePKCSReq is a PKCS#10 certificate request (initial enrollment).
+	SCEPMessageTypePKCSReq SCEPMessageType = 19
+	// SCEPMessageTypeGetCertInitial is a polling request for a pending certificate.
+	SCEPMessageTypeGetCertInitial SCEPMessageType = 20
+)
+
+// SCEPPKIStatus represents the status of a SCEP PKI operation.
+type SCEPPKIStatus string
+
+const (
+	// SCEPStatusSuccess indicates the request was granted.
+	SCEPStatusSuccess SCEPPKIStatus = "0"
+	// SCEPStatusFailure indicates the request was rejected.
+	SCEPStatusFailure SCEPPKIStatus = "2"
+	// SCEPStatusPending indicates the request is pending manual approval.
+	SCEPStatusPending SCEPPKIStatus = "3"
+)
+
+// SCEPFailInfo represents the reason for a SCEP failure.
+type SCEPFailInfo string
+
+const (
+	SCEPFailBadAlg       SCEPFailInfo = "0" // Unrecognized or unsupported algorithm
+	SCEPFailBadMessageCheck SCEPFailInfo = "1" // Integrity check failed
+	SCEPFailBadRequest   SCEPFailInfo = "2" // Transaction not permitted or supported
+	SCEPFailBadTime      SCEPFailInfo = "3" // Message time field was not sufficiently close to system time
+	SCEPFailBadCertID    SCEPFailInfo = "4" // No certificate could be identified matching the provided criteria
+)

internal/pkcs7/pkcs7.go

@@ -0,0 +1,136 @@
+// Package pkcs7 provides ASN.1 helpers for building PKCS#7 structures.
+// Used by EST (RFC 7030) and SCEP (RFC 8894) protocol handlers.
+// No external dependencies — hand-rolled ASN.1 encoding only.
+package pkcs7
+
+import (
+	"encoding/pem"
+	"fmt"
+)
+
+// BuildCertsOnlyPKCS7 creates a degenerate PKCS#7 SignedData structure containing only certificates.
+// This is the "certs-only" format specified in RFC 7030 Section 4.1.3 for /cacerts responses
+// and enrollment responses, and used by SCEP (RFC 8894) for GetCACert responses.
+//
+// ASN.1 structure (simplified):
+//
+//	ContentInfo {
+//	  contentType: signedData (1.2.840.113549.1.7.2)
+//	  content: SignedData {
+//	    version: 1
+//	    digestAlgorithms: {} (empty)
+//	    encapContentInfo: { contentType: data (1.2.840.113549.1.7.1) }
+//	    certificates: [cert1, cert2, ...]
+//	    signerInfos: {} (empty)
+//	  }
+//	}
+func BuildCertsOnlyPKCS7(derCerts [][]byte) ([]byte, error) {
+	// OID for signedData: 1.2.840.113549.1.7.2
+	oidSignedData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}
+	// OID for data: 1.2.840.113549.1.7.1
+	oidData := []byte{0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01}
+
+	// Build certificates [0] IMPLICIT SET OF Certificate
+	var certsContent []byte
+	for _, cert := range derCerts {
+		certsContent = append(certsContent, cert...)
+	}
+	certsField := ASN1WrapImplicit(0, certsContent)
+
+	// Build encapContentInfo: SEQUENCE { OID data }
+	encapContentInfo := ASN1WrapSequence(oidData)
+
+	// Build digestAlgorithms: SET {} (empty)
+	digestAlgorithms := ASN1WrapSet(nil)
+
+	// Build signerInfos: SET {} (empty)
+	signerInfos := ASN1WrapSet(nil)
+
+	// Version: INTEGER 1
+	version := []byte{0x02, 0x01, 0x01}
+
+	// Build SignedData SEQUENCE
+	var signedDataContent []byte
+	signedDataContent = append(signedDataContent, version...)
+	signedDataContent = append(signedDataContent, digestAlgorithms...)
+	signedDataContent = append(signedDataContent, encapContentInfo...)
+	signedDataContent = append(signedDataContent, certsField...)
+	signedDataContent = append(signedDataContent, signerInfos...)
+	signedData := ASN1WrapSequence(signedDataContent)
+
+	// Wrap in [0] EXPLICIT for ContentInfo.content
+	contentField := ASN1WrapExplicit(0, signedData)
+
+	// Build ContentInfo SEQUENCE
+	var contentInfoContent []byte
+	contentInfoContent = append(contentInfoContent, oidSignedData...)
+	contentInfoContent = append(contentInfoContent, contentField...)
+	contentInfo := ASN1WrapSequence(contentInfoContent)
+
+	return contentInfo, nil
+}
+
+// PEMToDERChain converts PEM-encoded certificates to a slice of DER-encoded certificates.
+func PEMToDERChain(pemData string) ([][]byte, error) {
+	var derCerts [][]byte
+	rest := []byte(pemData)
+	for {
+		var block *pem.Block
+		block, rest = pem.Decode(rest)
+		if block == nil {
+			break
+		}
+		if block.Type == "CERTIFICATE" {
+			derCerts = append(derCerts, block.Bytes)
+		}
+	}
+	if len(derCerts) == 0 {
+		return nil, fmt.Errorf("no certificates found in PEM data")
+	}
+	return derCerts, nil
+}
+
+// ASN1WrapSequence wraps content in an ASN.1 SEQUENCE tag (0x30).
+func ASN1WrapSequence(content []byte) []byte {
+	return ASN1Wrap(0x30, content)
+}
+
+// ASN1WrapSet wraps content in an ASN.1 SET tag (0x31).
+func ASN1WrapSet(content []byte) []byte {
+	return ASN1Wrap(0x31, content)
+}
+
+// ASN1WrapExplicit wraps content in an ASN.1 context-specific EXPLICIT tag.
+func ASN1WrapExplicit(tag int, content []byte) []byte {
+	return ASN1Wrap(byte(0xa0|tag), content)
+}
+
+// ASN1WrapImplicit wraps content in an ASN.1 context-specific IMPLICIT CONSTRUCTED tag.
+func ASN1WrapImplicit(tag int, content []byte) []byte {
+	return ASN1Wrap(byte(0xa0|tag), content)
+}
+
+// ASN1Wrap wraps content with an ASN.1 tag and length.
+func ASN1Wrap(tag byte, content []byte) []byte {
+	length := len(content)
+	var result []byte
+	result = append(result, tag)
+	result = append(result, ASN1EncodeLength(length)...)
+	result = append(result, content...)
+	return result
+}
+
+// ASN1EncodeLength encodes a length in ASN.1 DER format.
+func ASN1EncodeLength(length int) []byte {
+	if length < 0x80 {
+		return []byte{byte(length)}
+	}
+	// Long form
+	var lengthBytes []byte
+	l := length
+	for l > 0 {
+		lengthBytes = append([]byte{byte(l & 0xff)}, lengthBytes...)
+		l >>= 8
+	}
+	return append([]byte{byte(0x80 | len(lengthBytes))}, lengthBytes...)
+}

internal/pkcs7/pkcs7_test.go

@@ -0,0 +1,104 @@
+package pkcs7
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"testing"
+	"time"
+)
+
+func generateTestCertPEM(t *testing.T) string {
+	t.Helper()
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("generate key: %v", err)
+	}
+	template := &x509.Certificate{
+		SerialNumber:          big.NewInt(1),
+		Subject:               pkix.Name{CommonName: "Test CA"},
+		NotBefore:             time.Now().Add(-1 * time.Hour),
+		NotAfter:              time.Now().Add(24 * time.Hour),
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+		IsCA:                  true,
+		BasicConstraintsValid: true,
+	}
+	certDER, err := x509.CreateCertificate(rand.Reader, template, template, &key.PublicKey, key)
+	if err != nil {
+		t.Fatalf("create certificate: %v", err)
+	}
+	return string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
+}
+
+func TestBuildCertsOnlyPKCS7(t *testing.T) {
+	dummyCert := []byte{0x30, 0x82, 0x01, 0x00}
+	result, err := BuildCertsOnlyPKCS7([][]byte{dummyCert})
+	if err != nil {
+		t.Fatalf("BuildCertsOnlyPKCS7 failed: %v", err)
+	}
+	if len(result) == 0 {
+		t.Error("expected non-empty PKCS#7 output")
+	}
+	if result[0] != 0x30 {
+		t.Errorf("expected SEQUENCE tag (0x30), got 0x%02x", result[0])
+	}
+}
+
+func TestBuildCertsOnlyPKCS7_MultipleCerts(t *testing.T) {
+	cert1 := []byte{0x30, 0x82, 0x01, 0x00}
+	cert2 := []byte{0x30, 0x82, 0x02, 0x00}
+	result, err := BuildCertsOnlyPKCS7([][]byte{cert1, cert2})
+	if err != nil {
+		t.Fatalf("BuildCertsOnlyPKCS7 failed: %v", err)
+	}
+	if len(result) == 0 {
+		t.Error("expected non-empty PKCS#7 output")
+	}
+}
+
+func TestPEMToDERChain_Success(t *testing.T) {
+	pemData := generateTestCertPEM(t)
+	certs, err := PEMToDERChain(pemData)
+	if err != nil {
+		t.Fatalf("PEMToDERChain failed: %v", err)
+	}
+	if len(certs) != 1 {
+		t.Errorf("expected 1 cert, got %d", len(certs))
+	}
+}
+
+func TestPEMToDERChain_NoCerts(t *testing.T) {
+	_, err := PEMToDERChain("not a PEM")
+	if err == nil {
+		t.Error("expected error for invalid PEM")
+	}
+}
+
+func TestASN1EncodeLength(t *testing.T) {
+	tests := []struct {
+		length   int
+		expected []byte
+	}{
+		{0, []byte{0x00}},
+		{1, []byte{0x01}},
+		{127, []byte{0x7f}},
+		{128, []byte{0x81, 0x80}},
+		{256, []byte{0x82, 0x01, 0x00}},
+	}
+	for _, tt := range tests {
+		result := ASN1EncodeLength(tt.length)
+		if len(result) != len(tt.expected) {
+			t.Errorf("ASN1EncodeLength(%d): expected %d bytes, got %d", tt.length, len(tt.expected), len(result))
+			continue
+		}
+		for i := range result {
+			if result[i] != tt.expected[i] {
+				t.Errorf("ASN1EncodeLength(%d): byte %d: expected 0x%02x, got 0x%02x", tt.length, i, tt.expected[i], result[i])
+			}
+		}
+	}
+}

internal/service/renewal.go

@@ -136,8 +136,17 @@ func (s *RenewalService) CheckExpiringCertificates(ctx context.Context) error {
 	policyCache := make(map[string]*domain.RenewalPolicy)
 
 	for _, cert := range expiring {
-		// Skip if already renewing or archived
-		if cert.Status == domain.CertificateStatusRenewalInProgress || cert.Status == domain.CertificateStatusArchived {
+		// Skip certs in terminal or non-renewable states:
+		// - RenewalInProgress: already being renewed
+		// - Archived: no longer managed
+		// - Revoked: intentionally revoked, should not be auto-renewed
+		// - Failed: requires manual intervention (the failure cause hasn't been resolved)
+		// - Expired: requires manual review (why did it expire without renewal?)
+		if cert.Status == domain.CertificateStatusRenewalInProgress ||
+			cert.Status == domain.CertificateStatusArchived ||
+			cert.Status == domain.CertificateStatusRevoked ||
+			cert.Status == domain.CertificateStatusFailed ||
+			cert.Status == domain.CertificateStatusExpired {
 			continue
 		}
 

internal/service/renewal_test.go

@@ -239,6 +239,77 @@ func TestCheckExpiringCertificates_SkipsRenewalInProgress(t *testing.T) {
 	}
 }
 
+func TestCheckExpiringCertificates_SkipsExpiredFailedRevoked(t *testing.T) {
+	ctx := context.Background()
+
+	// Test that certs in Expired, Failed, and Revoked states do not get renewal jobs
+	for _, tc := range []struct {
+		name   string
+		status domain.CertificateStatus
+	}{
+		{"Expired", domain.CertificateStatusExpired},
+		{"Failed", domain.CertificateStatusFailed},
+		{"Revoked", domain.CertificateStatusRevoked},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			certRepo := newMockCertificateRepository()
+			jobRepo := newMockJobRepository()
+			policyRepo := newMockRenewalPolicyRepository()
+			auditRepo := newMockAuditRepository()
+			notifRepo := newMockNotificationRepository()
+
+			auditSvc := NewAuditService(auditRepo)
+			notifSvc := NewNotificationService(notifRepo, map[string]Notifier{})
+
+			issuerRegistry := NewIssuerRegistry(slog.Default())
+			issuerRegistry.Set("iss-test", &mockIssuerConnector{})
+
+			svc := NewRenewalService(certRepo, jobRepo, policyRepo, nil, auditSvc, notifSvc, issuerRegistry, "server")
+
+			cert := &domain.ManagedCertificate{
+				ID:              "mc-" + strings.ToLower(string(tc.status)),
+				Name:            "Test " + string(tc.status),
+				CommonName:      "test.example.com",
+				SANs:            []string{},
+				OwnerID:         "owner-1",
+				TeamID:          "team-1",
+				IssuerID:        "iss-test",
+				RenewalPolicyID: "rp-standard",
+				Status:          tc.status,
+				ExpiresAt:       time.Now().AddDate(0, 0, 10),
+				Tags:            make(map[string]string),
+				CreatedAt:       time.Now(),
+				UpdatedAt:       time.Now(),
+			}
+			certRepo.AddCert(cert)
+
+			policy := &domain.RenewalPolicy{
+				ID:                  "rp-standard",
+				Name:                "Standard",
+				RenewalWindowDays:   30,
+				AutoRenew:           true,
+				MaxRetries:          3,
+				RetryInterval:       300,
+				AlertThresholdsDays: []int{30, 14, 7, 0},
+				CreatedAt:           time.Now(),
+				UpdatedAt:           time.Now(),
+			}
+			policyRepo.AddPolicy(policy)
+
+			err := svc.CheckExpiringCertificates(ctx)
+			if err != nil {
+				t.Fatalf("CheckExpiringCertificates failed: %v", err)
+			}
+
+			for _, job := range jobRepo.Jobs {
+				if job.Type == domain.JobTypeRenewal {
+					t.Errorf("should not create renewal job for cert with %s status", tc.status)
+				}
+			}
+		})
+	}
+}
+
 func TestCheckExpiringCertificates_UpdatesStatusToExpiring(t *testing.T) {
 	t.Helper()
 	ctx := context.Background()

internal/service/scep.go

@@ -0,0 +1,160 @@
+package service
+
+import (
+	"context"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"log/slog"
+	"strings"
+
+	"github.com/shankar0123/certctl/internal/domain"
+)
+
+// SCEPService implements the SCEP (RFC 8894) enrollment protocol.
+// It delegates certificate operations to an existing IssuerConnector and records
+// enrollment events in the audit trail.
+type SCEPService struct {
+	issuer            IssuerConnector
+	issuerID          string
+	auditService      *AuditService
+	logger            *slog.Logger
+	profileID         string // optional: constrain enrollments to a specific profile
+	challengePassword string // shared secret for enrollment authentication
+}
+
+// NewSCEPService creates a new SCEPService for the given issuer connector.
+func NewSCEPService(issuerID string, issuer IssuerConnector, auditService *AuditService, logger *slog.Logger, challengePassword string) *SCEPService {
+	return &SCEPService{
+		issuer:            issuer,
+		issuerID:          issuerID,
+		auditService:      auditService,
+		logger:            logger,
+		challengePassword: challengePassword,
+	}
+}
+
+// SetProfileID constrains SCEP enrollments to a specific certificate profile.
+func (s *SCEPService) SetProfileID(profileID string) {
+	s.profileID = profileID
+}
+
+// GetCACaps returns the capabilities of this SCEP server.
+// RFC 8894 Section 3.5.2: GetCACaps returns a list of capabilities, one per line.
+func (s *SCEPService) GetCACaps(ctx context.Context) string {
+	return "POSTPKIOperation\nSHA-256\nAES\nSCEPStandard\n"
+}
+
+// GetCACert returns the PEM-encoded CA certificate chain for this SCEP server.
+// RFC 8894 Section 3.5.1: GetCACert distributes the CA certificate(s).
+func (s *SCEPService) GetCACert(ctx context.Context) (string, error) {
+	caPEM, err := s.issuer.GetCACertPEM(ctx)
+	if err != nil {
+		return "", fmt.Errorf("failed to get CA certificates from issuer %s: %w", s.issuerID, err)
+	}
+	if caPEM == "" {
+		return "", fmt.Errorf("issuer %s does not provide CA certificates for SCEP", s.issuerID)
+	}
+	return caPEM, nil
+}
+
+// PKCSReq processes a SCEP enrollment request.
+// RFC 8894 Section 3.3.1: PKCSReq contains a PKCS#10 CSR for certificate enrollment.
+// The CSR PEM and challenge password are extracted by the handler from the PKCS#7 envelope.
+func (s *SCEPService) PKCSReq(ctx context.Context, csrPEM string, challengePassword string, transactionID string) (*domain.SCEPEnrollResult, error) {
+	// Validate challenge password
+	if s.challengePassword != "" {
+		if challengePassword != s.challengePassword {
+			s.logger.Warn("SCEP enrollment rejected: invalid challenge password",
+				"transaction_id", transactionID)
+			return nil, fmt.Errorf("invalid challenge password")
+		}
+	}
+
+	return s.processEnrollment(ctx, csrPEM, transactionID, "scep_pkcsreq")
+}
+
+// processEnrollment handles the common enrollment logic.
+func (s *SCEPService) processEnrollment(ctx context.Context, csrPEM string, transactionID string, auditAction string) (*domain.SCEPEnrollResult, error) {
+	// Parse the CSR to extract CN and SANs
+	block, _ := pem.Decode([]byte(csrPEM))
+	if block == nil {
+		return nil, fmt.Errorf("invalid CSR PEM")
+	}
+
+	csr, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse CSR: %w", err)
+	}
+
+	if err := csr.CheckSignature(); err != nil {
+		return nil, fmt.Errorf("CSR signature verification failed: %w", err)
+	}
+
+	commonName := csr.Subject.CommonName
+	if commonName == "" {
+		return nil, fmt.Errorf("CSR must include a Common Name")
+	}
+
+	// Collect SANs
+	var sans []string
+	for _, dns := range csr.DNSNames {
+		sans = append(sans, dns)
+	}
+	for _, ip := range csr.IPAddresses {
+		sans = append(sans, ip.String())
+	}
+	for _, email := range csr.EmailAddresses {
+		sans = append(sans, email)
+	}
+	for _, uri := range csr.URIs {
+		sans = append(sans, uri.String())
+	}
+
+	s.logger.Info("SCEP enrollment request",
+		"action", auditAction,
+		"common_name", commonName,
+		"sans", strings.Join(sans, ","),
+		"transaction_id", transactionID,
+		"issuer", s.issuerID)
+
+	// Issue the certificate via the configured issuer connector
+	// SCEP enrollments use default EKUs (nil = serverAuth + clientAuth fallback in connector)
+	result, err := s.issuer.IssueCertificate(ctx, commonName, sans, csrPEM, nil)
+	if err != nil {
+		s.logger.Error("SCEP enrollment failed",
+			"action", auditAction,
+			"common_name", commonName,
+			"transaction_id", transactionID,
+			"error", err)
+		return nil, fmt.Errorf("certificate issuance failed: %w", err)
+	}
+
+	// Audit the enrollment
+	if s.auditService != nil {
+		details := map[string]interface{}{
+			"common_name":    commonName,
+			"sans":           sans,
+			"issuer_id":      s.issuerID,
+			"serial":         result.Serial,
+			"transaction_id": transactionID,
+			"protocol":       "SCEP",
+		}
+		if s.profileID != "" {
+			details["profile_id"] = s.profileID
+		}
+		_ = s.auditService.RecordEvent(ctx, "scep-client", "system", auditAction, "certificate", result.Serial, details)
+	}
+
+	s.logger.Info("SCEP enrollment successful",
+		"action", auditAction,
+		"common_name", commonName,
+		"serial", result.Serial,
+		"transaction_id", transactionID,
+		"not_after", result.NotAfter)
+
+	return &domain.SCEPEnrollResult{
+		CertPEM:  result.CertPEM,
+		ChainPEM: result.ChainPEM,
+	}, nil
+}

internal/service/scep_test.go

@@ -0,0 +1,195 @@
+package service
+
+import (
+	"context"
+	"errors"
+	"log/slog"
+	"os"
+	"strings"
+	"testing"
+)
+
+func TestSCEPService_GetCACaps(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	caps := svc.GetCACaps(context.Background())
+	if caps == "" {
+		t.Error("expected non-empty capabilities")
+	}
+	if !strings.Contains(caps, "POSTPKIOperation") {
+		t.Errorf("expected POSTPKIOperation in caps, got: %s", caps)
+	}
+	if !strings.Contains(caps, "SHA-256") {
+		t.Errorf("expected SHA-256 in caps, got: %s", caps)
+	}
+	if !strings.Contains(caps, "SCEPStandard") {
+		t.Errorf("expected SCEPStandard in caps, got: %s", caps)
+	}
+}
+
+func TestSCEPService_GetCACert_Success(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	caPEM, err := svc.GetCACert(context.Background())
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if caPEM == "" {
+		t.Error("expected non-empty CA PEM")
+	}
+}
+
+func TestSCEPService_GetCACert_IssuerError(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{Err: errors.New("CA unavailable")}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	_, err := svc.GetCACert(context.Background())
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !strings.Contains(err.Error(), "CA unavailable") {
+		t.Errorf("expected error to contain 'CA unavailable', got: %v", err)
+	}
+}
+
+func TestSCEPService_PKCSReq_Success(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	auditRepo := newMockAuditRepository()
+	auditSvc := NewAuditService(auditRepo)
+	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	csrPEM := generateCSRPEM(t, "device.example.com", []string{"device.example.com"})
+
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-001")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result == nil {
+		t.Fatal("expected non-nil result")
+	}
+	if result.CertPEM == "" {
+		t.Error("expected non-empty CertPEM")
+	}
+
+	// Verify audit event was recorded
+	if len(auditRepo.Events) == 0 {
+		t.Error("expected audit event to be recorded")
+	}
+}
+
+func TestSCEPService_PKCSReq_InvalidCSR(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	_, err := svc.PKCSReq(context.Background(), "not-valid-pem", "", "txn-002")
+	if err == nil {
+		t.Fatal("expected error for invalid CSR")
+	}
+}
+
+func TestSCEPService_PKCSReq_MissingCN(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	csrPEM := generateCSRPEM(t, "", []string{"test.example.com"})
+
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-003")
+	if err == nil {
+		t.Fatal("expected error for missing CN")
+	}
+	if !strings.Contains(err.Error(), "Common Name") {
+		t.Errorf("expected 'Common Name' in error, got: %v", err)
+	}
+}
+
+func TestSCEPService_PKCSReq_IssuerError(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{Err: errors.New("issuance failed")}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	csrPEM := generateCSRPEM(t, "test.example.com", nil)
+
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-004")
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if !strings.Contains(err.Error(), "issuance failed") {
+		t.Errorf("expected 'issuance failed', got: %v", err)
+	}
+}
+
+func TestSCEPService_PKCSReq_ChallengePassword_Valid(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	auditRepo := newMockAuditRepository()
+	auditSvc := NewAuditService(auditRepo)
+	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
+
+	csrPEM := generateCSRPEM(t, "mdm-device.example.com", nil)
+
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "secret123", "txn-005")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result == nil {
+		t.Fatal("expected non-nil result")
+	}
+}
+
+func TestSCEPService_PKCSReq_ChallengePassword_Invalid(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "secret123")
+
+	csrPEM := generateCSRPEM(t, "mdm-device.example.com", nil)
+
+	_, err := svc.PKCSReq(context.Background(), csrPEM, "wrong-password", "txn-006")
+	if err == nil {
+		t.Fatal("expected error for invalid challenge password")
+	}
+	if !strings.Contains(err.Error(), "challenge password") {
+		t.Errorf("expected 'challenge password' in error, got: %v", err)
+	}
+}
+
+func TestSCEPService_PKCSReq_ChallengePassword_NotRequired(t *testing.T) {
+	// When server has no challenge password configured, any value should be accepted
+	mockIssuer := &mockIssuerConnector{}
+	svc := NewSCEPService("iss-local", mockIssuer, nil, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+
+	csrPEM := generateCSRPEM(t, "device.example.com", nil)
+
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "any-value", "txn-007")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result == nil {
+		t.Fatal("expected non-nil result")
+	}
+}
+
+func TestSCEPService_PKCSReq_WithProfile(t *testing.T) {
+	mockIssuer := &mockIssuerConnector{}
+	auditRepo := newMockAuditRepository()
+	auditSvc := NewAuditService(auditRepo)
+	svc := NewSCEPService("iss-local", mockIssuer, auditSvc, slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelError})), "")
+	svc.SetProfileID("profile-mdm-device")
+
+	csrPEM := generateCSRPEM(t, "device.example.com", nil)
+
+	result, err := svc.PKCSReq(context.Background(), csrPEM, "", "txn-008")
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if result == nil {
+		t.Fatal("expected non-nil result")
+	}
+
+	// Verify audit event includes profile_id
+	if len(auditRepo.Events) == 0 {
+		t.Fatal("expected audit event")
+	}
+	lastEvent := auditRepo.Events[len(auditRepo.Events)-1]
+	if lastEvent.Details == nil {
+		t.Fatal("expected audit details")
+	}
+}

migrations/seed_demo.sql

@@ -150,17 +150,21 @@ INSERT INTO managed_certificates (id, name, common_name, sans, environment, owne
 
   -- ---- Active certs via step-ca (internal services) ----
   ('mc-grpc-prod',     'grpc-internal',        'grpc.internal.example.com', ARRAY['grpc.internal.example.com'],                         'production',  'o-alice', 't-platform', 'iss-stepca', 'rp-standard', 'Active',  NOW() + INTERVAL '58 days',  '{"service": "grpc-gateway", "tier": "high"}',      NOW() - INTERVAL '32 days', NOW() - INTERVAL '32 days', NOW() - INTERVAL '100 days', NOW()),
-  ('mc-vault-prod',    'vault-internal',       'vault.internal.example.com', ARRAY['vault.internal.example.com'],                       'production',  'o-bob',   't-security', 'iss-stepca', 'rp-urgent',   'Active',  NOW() + INTERVAL '25 days',  '{"service": "vault", "tier": "critical"}',         NOW() - INTERVAL '65 days', NOW() - INTERVAL '65 days', NOW() - INTERVAL '120 days', NOW()),
+  ('mc-vault-prod',    'vault-internal',       'vault.internal.example.com', ARRAY['vault.internal.example.com'],                       'production',  'o-bob',   't-security', 'iss-stepca', 'rp-urgent',   'Active',  NOW() + INTERVAL '35 days',  '{"service": "vault", "tier": "critical"}',         NOW() - INTERVAL '65 days', NOW() - INTERVAL '65 days', NOW() - INTERVAL '120 days', NOW()),
   ('mc-consul-prod',   'consul-internal',      'consul.internal.example.com', ARRAY['consul.internal.example.com'],                     'production',  'o-alice', 't-platform', 'iss-stepca', 'rp-standard', 'Active',  NOW() + INTERVAL '63 days',  '{"service": "consul", "tier": "high"}',            NOW() - INTERVAL '27 days', NOW() - INTERVAL '27 days', NOW() - INTERVAL '90 days',  NOW()),
 
   -- ---- Active certs via ZeroSSL ----
   ('mc-shop-prod',     'shop-production',      'shop.example.com',      ARRAY['shop.example.com', 'store.example.com'],                 'production',  'o-carol', 't-payments', 'iss-acme-zs', 'rp-urgent',  'Active',  NOW() + INTERVAL '44 days',  '{"service": "shop", "tier": "critical", "pci": "true"}', NOW() - INTERVAL '46 days', NOW() - INTERVAL '46 days', NOW() - INTERVAL '60 days', NOW()),
 
-  -- ---- Expiring soon (< 30 days) ----
-  ('mc-auth-prod',     'auth-production',      'auth.example.com',      ARRAY['auth.example.com', 'login.example.com', 'sso.example.com'], 'production', 'o-bob', 't-security', 'iss-local', 'rp-urgent', 'Expiring', NOW() + INTERVAL '12 days',  '{"service": "auth", "tier": "critical"}',          NOW() - INTERVAL '78 days', NOW() - INTERVAL '78 days', NOW() - INTERVAL '300 days', NOW()),
-  ('mc-cdn-prod',      'cdn-production',       'cdn.example.com',       ARRAY['cdn.example.com', 'static.example.com'],                 'production',  'o-alice', 't-platform', 'iss-local', 'rp-standard', 'Expiring', NOW() + INTERVAL '8 days',   '{"service": "cdn", "tier": "high"}',               NOW() - INTERVAL '82 days', NOW() - INTERVAL '82 days', NOW() - INTERVAL '250 days', NOW()),
-  ('mc-mail-prod',     'mail-production',      'mail.example.com',      ARRAY['mail.example.com', 'smtp.example.com'],                  'production',  'o-bob',   't-security', 'iss-local', 'rp-standard', 'Expiring', NOW() + INTERVAL '5 days',   '{"service": "email", "tier": "medium"}',           NOW() - INTERVAL '85 days', NOW() - INTERVAL '85 days', NOW() - INTERVAL '400 days', NOW()),
-  ('mc-ci-prod',       'ci-production',        'ci.example.com',        ARRAY['ci.example.com', 'jenkins.example.com'],                 'production',  'o-frank', 't-devops',   'iss-acme-le', 'rp-standard', 'Expiring', NOW() + INTERVAL '18 days', '{"service": "ci", "tier": "high"}',                NOW() - INTERVAL '72 days', NOW() - INTERVAL '72 days', NOW() - INTERVAL '100 days', NOW()),
+  -- ---- Expiring soon ----
+  -- NOTE: expires_at is set > 31 days to stay outside the scheduler's 31-day renewal query window.
+  -- The scheduler runs CheckExpiringCertificates on boot with a 31-day lookahead; certs inside that
+  -- window get renewal jobs created automatically. By placing these at 32-38 days, the status stays
+  -- frozen as seeded while still being within the 30-day alert threshold range shown on the dashboard.
+  ('mc-auth-prod',     'auth-production',      'auth.example.com',      ARRAY['auth.example.com', 'login.example.com', 'sso.example.com'], 'production', 'o-bob', 't-security', 'iss-local', 'rp-urgent', 'Expiring', NOW() + INTERVAL '32 days',  '{"service": "auth", "tier": "critical"}',          NOW() - INTERVAL '78 days', NOW() - INTERVAL '78 days', NOW() - INTERVAL '300 days', NOW()),
+  ('mc-cdn-prod',      'cdn-production',       'cdn.example.com',       ARRAY['cdn.example.com', 'static.example.com'],                 'production',  'o-alice', 't-platform', 'iss-local', 'rp-standard', 'Expiring', NOW() + INTERVAL '34 days',  '{"service": "cdn", "tier": "high"}',               NOW() - INTERVAL '82 days', NOW() - INTERVAL '82 days', NOW() - INTERVAL '250 days', NOW()),
+  ('mc-mail-prod',     'mail-production',      'mail.example.com',      ARRAY['mail.example.com', 'smtp.example.com'],                  'production',  'o-bob',   't-security', 'iss-local', 'rp-standard', 'Expiring', NOW() + INTERVAL '33 days',  '{"service": "email", "tier": "medium"}',           NOW() - INTERVAL '85 days', NOW() - INTERVAL '85 days', NOW() - INTERVAL '400 days', NOW()),
+  ('mc-ci-prod',       'ci-production',        'ci.example.com',        ARRAY['ci.example.com', 'jenkins.example.com'],                 'production',  'o-frank', 't-devops',   'iss-acme-le', 'rp-standard', 'Expiring', NOW() + INTERVAL '38 days', '{"service": "ci", "tier": "high"}',                NOW() - INTERVAL '72 days', NOW() - INTERVAL '72 days', NOW() - INTERVAL '100 days', NOW()),
 
   -- ---- Expired ----
   ('mc-legacy-prod',   'legacy-app',           'legacy.example.com',    ARRAY['legacy.example.com'],                                    'production',  'o-alice', 't-platform', 'iss-local', 'rp-manual',   'Expired',  NOW() - INTERVAL '3 days',   '{"service": "legacy", "tier": "low", "decom": "planned"}', NOW() - INTERVAL '93 days', NOW() - INTERVAL '93 days', NOW() - INTERVAL '500 days', NOW()),
@@ -176,16 +180,18 @@ INSERT INTO managed_certificates (id, name, common_name, sans, environment, owne
   ('mc-api-dev',       'api-development',      'api.dev.example.com',   ARRAY['api.dev.example.com'],                                   'development', 'o-alice', 't-platform', 'iss-local', 'rp-standard', 'Active',   NOW() + INTERVAL '85 days',  '{"service": "api-gateway", "tier": "low"}',        NOW() - INTERVAL '5 days',  NOW() - INTERVAL '5 days',  NOW() - INTERVAL '45 days',  NOW()),
 
   -- ---- Renewal in progress ----
-  ('mc-grafana-prod',  'grafana-production',   'grafana.example.com',   ARRAY['grafana.example.com', 'metrics.example.com'],            'production',  'o-eve',   't-data',     'iss-local', 'rp-standard', 'RenewalInProgress', NOW() + INTERVAL '3 days',  '{"service": "monitoring", "tier": "high"}',  NOW() - INTERVAL '87 days', NOW() - INTERVAL '87 days', NOW() - INTERVAL '180 days', NOW()),
+  -- NOTE: expires_at set > 31 days to keep outside scheduler's renewal query window
+  ('mc-grafana-prod',  'grafana-production',   'grafana.example.com',   ARRAY['grafana.example.com', 'metrics.example.com'],            'production',  'o-eve',   't-data',     'iss-local', 'rp-standard', 'RenewalInProgress', NOW() + INTERVAL '33 days',  '{"service": "monitoring", "tier": "high"}',  NOW() - INTERVAL '87 days', NOW() - INTERVAL '87 days', NOW() - INTERVAL '180 days', NOW()),
 
   -- ---- Failed ----
-  ('mc-vpn-prod',      'vpn-production',       'vpn.example.com',       ARRAY['vpn.example.com'],                                      'production',  'o-bob',   't-security', 'iss-acme-le', 'rp-urgent', 'Failed',   NOW() + INTERVAL '1 day',    '{"service": "vpn", "tier": "critical"}',           NULL, NULL, NOW() - INTERVAL '90 days', NOW()),
+  -- NOTE: expires_at set > 31 days; scheduler code fix also skips Failed certs from auto-renewal
+  ('mc-vpn-prod',      'vpn-production',       'vpn.example.com',       ARRAY['vpn.example.com'],                                      'production',  'o-bob',   't-security', 'iss-acme-le', 'rp-urgent', 'Failed',   NOW() + INTERVAL '32 days',  '{"service": "vpn", "tier": "critical"}',           NULL, NULL, NOW() - INTERVAL '90 days', NOW()),
 
   -- ---- Wildcard ----
   ('mc-wildcard-prod', 'wildcard-production',  '*.example.com',         ARRAY['*.example.com', 'example.com'],                          'production',  'o-alice', 't-platform', 'iss-acme-le', 'rp-standard', 'Active', NOW() + INTERVAL '50 days',  '{"service": "wildcard", "tier": "critical"}',      NOW() - INTERVAL '40 days', NOW() - INTERVAL '40 days', NOW() - INTERVAL '365 days', NOW()),
 
   -- ---- Revoked ----
-  ('mc-compromised',   'compromised-cert',     'old-service.example.com', ARRAY['old-service.example.com'],                             'production',  'o-bob',   't-security', 'iss-local', 'rp-standard', 'Revoked',  NOW() + INTERVAL '30 days',  '{"service": "decommissioned", "tier": "low"}',     NOW() - INTERVAL '60 days', NOW() - INTERVAL '60 days', NOW() - INTERVAL '120 days', NOW()),
+  ('mc-compromised',   'compromised-cert',     'old-service.example.com', ARRAY['old-service.example.com'],                             'production',  'o-bob',   't-security', 'iss-local', 'rp-standard', 'Revoked',  NOW() + INTERVAL '45 days',  '{"service": "decommissioned", "tier": "low"}',     NOW() - INTERVAL '60 days', NOW() - INTERVAL '60 days', NOW() - INTERVAL '120 days', NOW()),
 
   -- ---- Edge/CDN certs (Traefik + Caddy targets) ----
   ('mc-edge-eu',       'edge-eu-production',   'eu.cdn.example.com',    ARRAY['eu.cdn.example.com', 'eu-assets.example.com'],           'production',  'o-alice', 't-platform', 'iss-acme-le', 'rp-standard', 'Active', NOW() + INTERVAL '61 days',  '{"service": "cdn-eu", "tier": "high", "region": "eu-west-1"}', NOW() - INTERVAL '29 days', NOW() - INTERVAL '29 days', NOW() - INTERVAL '45 days', NOW()),

web/src/pages/AgentDetailPage.tsx

@@ -61,7 +61,7 @@ export default function AgentDetailPage() {
     );
   }
 
-  const health = agent.status || heartbeatStatus(agent.last_heartbeat);
+  const health = agent.status || heartbeatStatus(agent.last_heartbeat_at);
 
   return (
     <>
@@ -82,10 +82,10 @@ export default function AgentDetailPage() {
             <InfoRow label="IP Address" value={<span className="font-mono text-xs">{agent.ip_address || '—'}</span>} />
             <InfoRow label="Version" value={agent.version || '—'} />
             <InfoRow label="Last Heartbeat" value={
-              agent.last_heartbeat ? (
+              agent.last_heartbeat_at ? (
                 <span>
-                  {timeAgo(agent.last_heartbeat)}
-                  <span className="text-ink-faint ml-2 text-xs">{formatDateTime(agent.last_heartbeat)}</span>
+                  {timeAgo(agent.last_heartbeat_at)}
+                  <span className="text-ink-faint ml-2 text-xs">{formatDateTime(agent.last_heartbeat_at)}</span>
                 </span>
               ) : '—'
             } />

web/src/pages/AgentsPage.tsx

@@ -39,7 +39,7 @@ export default function AgentsPage() {
     {
       key: 'status',
       label: 'Health',
-      render: (a) => <StatusBadge status={a.status || heartbeatStatus(a.last_heartbeat)} />,
+      render: (a) => <StatusBadge status={a.status || heartbeatStatus(a.last_heartbeat_at)} />,
     },
     { key: 'hostname', label: 'Hostname', render: (a) => <span className="text-ink-muted font-mono text-xs">{a.hostname || '—'}</span> },
     { key: 'os', label: 'OS / Arch', render: (a) => <span className="text-ink-muted text-xs">{a.os && a.architecture ? `${a.os}/${a.architecture}` : a.os || '—'}</span> },
@@ -48,7 +48,7 @@ export default function AgentsPage() {
     {
       key: 'heartbeat',
       label: 'Last Heartbeat',
-      render: (a) => <span className="text-ink-muted text-xs">{timeAgo(a.last_heartbeat)}</span>,
+      render: (a) => <span className="text-ink-muted text-xs">{timeAgo(a.last_heartbeat_at)}</span>,
     },
   ];