Windows

In this case we are setting up a device certificate

Recommended: Use {{DeviceName}}for the CN RDN to have a meaningful name of the certificate on the device or when searching for the certificate.

Optional: If configured to CN={{DeviceId}} or CN={{AAD_Device_ID}}, SCEPman uses the CN field of the subject name to identify the device and as a seed for the certificate serial number generation. Microsoft Entra ID (Azure AD) and Intune offer two different IDs:

• {{DeviceId}}: This ID is generated and used by Intune. (requires SCEPman 2.0 or higher and AppConfig:IntuneValidation:DeviceDirectory to be set to Intune or AADAndIntune)

• {{AAD_Device_ID}}: This ID is generated and used by Microsoft Entra ID (Azure AD).

In case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used for the CN field (e.g. CN={{DeviceName}}), SCEPman will identify the device based on the Intune Device ID ((URI)Value: IntuneDeviceId://{{DeviceId}}) provided in the subject alternative name (SAN).

Important: The choice of the CN field affects the automatic revocation behavior of certificates issued to your Intune-managed devices.

You can add other RDNs if needed (e.g.: CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}). Supported variables are listed in the Microsoft docs.

The URI field is recommended by Microsoft for NAC solutions to identify the devices based on their Intune Device ID. The value should be:

IntuneDeviceId://{{DeviceId}}

The URI field is mandatory in case neither CN={{DeviceId}} nor CN={{AAD_Device_ID}} is used in the Subject name format field.

Other SAN values like DNS can be added if needed.

The amount of time remaining before the certificate expires. Default is set at one year.

SCEPman caps the certificate validity to the configured maximum in setting AppConfig:ValidityPeriodDays, but otherwise uses the validity configured in the request.

This setting determines the storage location of the private key for the end-user certificates. Storage in the TPM is more secure than software storage because the TPM provides an additional layer of security to prevent key theft.

Note: There is a bug in some older TPM firmware versions that invalidates some signatures created with a TPM-backed private key. In such cases, the certificate cannot be used for EAP authentication as it is common for Wi-Fi and VPN connections. In addition, this might break your Autopilot onboarding process.

Affected TPM firmware versions include:

• STMicroelectronics: 71.12, 73.4.17568.4452, 71.12.17568.4100, 73.20.17568.6684

• Intel: 11.8.50.3399, 2.0.0.2060

• Infineon: 7.63.3353.0

• IFX: Version 3.19 / Specification 1.2

• IFX version 7.63.3353.0 specification 2.0

If you use TPM with this firmware, either update your firmware to a newer version or select "Software KSP" as a key storage provider.

Update: You can workaround the TPM bug by removing the RSA-PSS signature algorithms -that are causing the issue- from the registry, for more information please check Richard Hicks's article and Microsoft Q&A

Please activate both cryptographic actions.

SCEPman automatically sets the Key usage to Digital signature and Key encipherment and overrides the setting here unless the setting AppConfig:UseRequestedKeyUsages is set to true.

SCEPman supports 2048 bits.

SCEPman supports SHA-2 algorithm.

Please select the Intune profile from #Root Certificate. If you are using an Intermediate CA, you must select the Trusted certificate profile for the Intermediate CA, not the Root CA!

Please choose Client Authentication (1.3.6.1.5.5.7.3.2) under Predefined values. The other fields will be filled out automatically.

This value defines when the device is allowed to renew its certificate (based on the remaining lifetime of an existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 20% would allow the device with 1 year valid certificate to start renewal 73 days before expiration.

Example

https://scepman.contoso.com/certsrv/mscep/mscep.dll

In this section we are setting up a user certificate.

You can define RDNs based on your needs. Supported variables are listed in the Microsoft docs. We recommend to include the username (e.g.: janedoe) and email address (e.g.: [email protected]) as baseline setting.

You must add the User principal name as the Subject alternative name. Add '{{UserPrincipalName}}' as Subject Alternative Name of type User principal name (UPN). This ensures that SCEPman can link certificates to user objects in AAD. The setting for 'Subject name format' is freely selectable.

Other SAN values like an Email address can be added if needed.

• (required) User principal name (UPN): {{UserPrincipalName}}

• (required) Email address: {{EmailAddress}}

By deploying a digital signature certificate, you must add the UPN and the email address.

Please choose Secure Email (1.3.6.1.5.5.7.3.4) under Predefined values. The other fields will be filled out automatically.

We recommend setting Renewal Threshold (%) to a value that ensures certificates are renewed at least 6 months before expiration when issuing S/MIME signature certificates. This is because emails signed with expired certificates are shown to have invalid signatures in Outlook, which confuses users. Having a new certificate long before the old one expires ensures that only older emails show this behavior, which users are more unlikely to look at. For example, if your signature certificates are valid for one year, you should set the Renewal Threshold to at least 50 %.