diff --git a/authority/admin/api/webhook.go b/authority/admin/api/webhook.go
index f73f6806..3939d55e 100644
--- a/authority/admin/api/webhook.go
+++ b/authority/admin/api/webhook.go
@@ -57,9 +57,9 @@ func validateWebhook(webhook *linkedca.Webhook) error {
 
 	// kind
 	switch webhook.Kind {
-	case linkedca.Webhook_ENRICHING, linkedca.Webhook_AUTHORIZING:
+	case linkedca.Webhook_ENRICHING, linkedca.Webhook_AUTHORIZING, linkedca.Webhook_SCEPCHALLENGE:
 	default:
-		return admin.NewError(admin.ErrorBadRequestType, "webhook kind is invalid")
+		return admin.NewError(admin.ErrorBadRequestType, "webhook kind %q is invalid", webhook.Kind)
 	}
 
 	return nil
diff --git a/authority/admin/api/webhook_test.go b/authority/admin/api/webhook_test.go
index baac2c11..0fb199f0 100644
--- a/authority/admin/api/webhook_test.go
+++ b/authority/admin/api/webhook_test.go
@@ -180,6 +180,26 @@ func TestWebhookAdminResponder_CreateProvisionerWebhook(t *testing.T) {
 				statusCode: 400,
 			}
 		},
+		"fail/unsupported-webhook-kind": func(t *testing.T) test {
+			prov := &linkedca.Provisioner{
+				Name: "provName",
+			}
+			ctx := linkedca.NewContextWithProvisioner(context.Background(), prov)
+			adminErr := admin.NewError(admin.ErrorBadRequestType, `(line 5:13): invalid value for enum type: "UNSUPPORTED"`)
+			adminErr.Message = `(line 5:13): invalid value for enum type: "UNSUPPORTED"`
+			body := []byte(`
+			{
+				"name": "metadata",
+				"url": "https://example.com",
+				"kind": "UNSUPPORTED",
+			}`)
+			return test{
+				ctx:        ctx,
+				body:       body,
+				err:        adminErr,
+				statusCode: 400,
+			}
+		},
 		"fail/auth.UpdateProvisioner-error": func(t *testing.T) test {
 			adm := &linkedca.Admin{
 				Subject: "step",
diff --git a/scep/api/webhook/webhook.go b/scep/api/webhook/webhook.go
index 07dafd78..b191c426 100644
--- a/scep/api/webhook/webhook.go
+++ b/scep/api/webhook/webhook.go
@@ -54,8 +54,11 @@ func (c *Controller) Validate(ctx context.Context, challenge string) error {
 	return provisioner.ErrWebhookDenied
 }
 
-// isCertTypeOK returns whether or not the webhook is for X.509
-// certificates.
+// isCertTypeOK returns whether or not the webhook can be used
+// with the SCEP challenge validation webhook controller.
 func (c *Controller) isCertTypeOK(wh *provisioner.Webhook) bool {
+	if wh.CertType == linkedca.Webhook_ALL.String() || wh.CertType == "" {
+		return true
+	}
 	return linkedca.Webhook_X509.String() == wh.CertType
 }