Let's say you provide a SCEP service available to the outside world, where should the SCEP requests be decrypted? At the load balancer, in the backend server, elsewhere?
It doesn't look like there is much processing/filtering that can be done by the load balancer to verify if the request is a valid well formed SCEP requests - if that load balancer doesn't have the key to decrypt the encrypted data in the request.
What is the safest way to design this (when you have no other choice but to use SCEP)?
