API Enrollment
Last updated
Last updated
This feature requires version 2.3.689 or above.
SCEPman Enterprise Edition only
SCEPman features a REST API to enroll certificates. This is an alternative to the SCEP endpoints that require the SCEP-style of authentication, while the REST API uses Microsoft Identities for authentication. The protocol is also much simpler than SCEP.
After you have prepared the prerequisites, you can POST a PKCS#10/CMS to your SCEPman with the HTTP path api/csr. The HTTP Response will be the freshly issued certificate in DER encoding.
SCEPman will store all issued certificates automatically in its Storage Account, so you can conveniently list and revoke them via the Certificate Master component.
See our Open Source Sample Library on GitHub to find out how to use SCEPman's REST API.
Assign the required permissions by running the Register-SCEPmanApiClient cmdlet from the SCEPman PowerShell module.
Example:
The Object ID of the complementing Enterprise Application of the App Registration we created in the previous step. Note that this does not refer to the Enterprise Application usually named SCEPman-api, which identifies SCEPman itself.
To manually assign this permission you can navigate to API Permissions and add a permission from the permissions your organization uses. Assign the CSR.Request.Db permission from SCEPman-api as an application permission.
Required for certificate renewal
Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to Optional.
Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!
In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.
Required for certificate enrollment and renewal
Set this variable to true to enable the validation of certificate signing requests (CSRs).
Required for certificate renewal
Set this variable to true to enable certificate renewals.
Required for certificate renewal
Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.
Example: Static,IntuneUser,IntuneDevice
