User Certificate
Last updated
Last updated
SCEPman Enterprise Edition only
This feature requires version 2.4 or above
You can manually generate X.509 user certificates including a private key via the SCEPman Certificate Master Web UI. Those certificates can be used in various certificate-based authentication (CBA) scenarios, for smart cards and email signatures. By default, generated certificates will have the EKU Client Authentication and a Subject Alternative Name (SAN) set to a UPN-type property where the value matches the UPN provided in the UI.
To generate a new User Certificate, navigate to New User Certificate in the SCEPman Certificate Master top menu. Enter a UPN for the certificate and select the required EKUs. Hit Submit and the browser will automatically download the certificate with the private key in PKCS#12/PFX format after the certificate is issued a few seconds later. The PKCS#12 file is encrypted with the password shown on the screen. You can import the PKCS#12 directly to the system where it is needed using the password.
Be aware that once you navigate away from this page, the password will no longer be accessible.
Perform below steps to enroll a smart card certificate to your YubiKey device.
Open the Certificate Master web portal and click on the + icon
Select New User Certificate
Specify the UPN as per your requirements
Set the Key Length to 2048 bits (YubiKey currently does not support 4096-bit keys).
Select PKCS#12 as Download file format
Select Client Authentication and Smart card Logon from the Extended Key Usages\
Before clicking Submit, ensure to take temporary note of the Password as it will be required when importing the certificate to the YubiKey.
Open the YubiKey Manager
Navigate to Applications > PIV and click Configure Certificates\
Select Authentication (Slot 9a) and click Import
Upload the certificate that was previously generated from Certificate Master and provide the Password.
Set a Management key and click OK\