We present SCR, a secure content replication protocol for the Content-Centric Networking (CCN) architecture. The goal of SCR is to allow a data producer to cache protected content in off-path semi-trusted caches or replicas. In contrast to the standard ``take what you want'' model of CCN, SCR ensures that no unauthorized, off-path entity can obtain data from these replicas, even if the content is encrypted. SCR allows a producer to encrypt data under any viable access control scheme, such as group-based access backed by broadcast encryption, and delegate the delivery of said content to distributed replicas in the network. SCR is analogous to ``blind caching'' in IP-based networks, which aim to provide caching as a service in the presence of end-to-end encryption via TLS. We discuss the design details and security features, e.g., revocation, of SCR. We then compare SCR to the HTTP(S)-based blind caching model. We show that our scheme can outperform blind caching due to (1) less protocol complexity and message overhead, (2) faster session establishment, and (3) the ability to obtain data in parallel from multiple, independent replicas.