Renewal Script
Last updated
Last updated
SCEPman Enterprise Edition Only
With the help of the scripts in this article, you can utilise an endpoint in the SCEPman REST API to renew SCEPman-issued certificates using mTLS (mutual TLS). This endpoint creates an identical certificate to the one you have elected to renew, however with an expiry date ValidityPeriod days in the future (this will depend on your configuration).
AZ CLI version 2.61 and above
In order to make use of this endpoint, you must set the following Environment Variables on the SCEPman app service.
Further, configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, switch the Client certificate mode in Incoming client certificates from Ignore to Optional.
Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!
The scripts can be found here.
These scripts were developed with the aim to facilitate automatic renewal of certificates with devices that lack MDM compatibility (particularly Linux devices). If this script were to be run regularly using Linux's Cron or Anacron utilities, it could allow for the automatic renewal of certificates on Linux devices.
This script does not encrypt the generated keys (this requires passphrase input, so encryption has been omitted to allow for automatic renewal.)
If you are renewing passphrase-protected certificates from Certificate Master, you will need to input this passphrase in order to renew them.
This script will renew the specified certificate using mTLS if it exists.
SCEPman instance URL
Certificate to be renewed (name of PEM encoded certificate file)
Private key of certificate to be renewed (name of PEM encoded key file)
Root certificate (name of PEM encoded certificate file)
Renewal threshold (# of days): certificate will only renew if expiring in this or less many days
The enrollment and renewal script will create a certificate if one of the specified name doesn't exist in the specified directory, and if it does exist, will renew the specified certificate using mTLS.
SCEPman instance URL
API scope of SCEPman-api app registration
Desired name of certificate
Directory where certificate is to be installed
Directory where private key is to be installed
Root certificate (name of PEM encoded certificate file)
Renewal threshold (# of days): certificate will only renew if expiring in this or less many days
The cmdlet Update-CertificateViaEST (contained in the SCEPman powershell module) locates certificates issued by SCEPman in either the user or machine certificate stores and renews them using mTLS. Note that this cmdlet (unlike other parts of the powershell module) can only be used on Windows devices.
This cmdlet has two parameter sets, Direct, which allows you to pass in a certificate directly and renew it, and Search which searches the My store for SCEPman issued certificates and renews them. The parameters included in these sets are detailed below:
-AppServiceUrl
Yes
The URL of your SCEPman app service.
-Certificate
No
Certificate object that is to be renewed
Example command:
-AppServiceUrl
Yes
The URL of your SCEPman app service.
-User or -Machine
No
Specifies whether you would like to renew certificates from the user or machine store. One of these must be specified. (note that to edit the machine store you must run the command as admin).
-FilterString
Yes
Will only renew certificates whose Subject field contains the filter string.
-ValidityThresholdDays
Yes
Will only renew certificates that are within this number of days of expiry (default value is 30).
-AllowInvalid
Yes
If specified, the cmdlet will also renew invalid (expired) certificates.
Example command:
