Windows
The following article describes how to deploy a device or/and user certificates for Windows devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only device, user or even both certificate types.
The basis for deploying SCEP certificates is to trust the public root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:
- Download the CA Certificate from SCEPman portal:
%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1)%20(1).png?alt=media)
- Create a profile for Windows 10 and later with type Trusted certificate in Microsoft Intune:
- Upload your previously downloaded .cer file.
- Now you can deploy this profile to your devices. Please choose All Users and/or All Devices or a dedicated group for assignment.
Note that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.
- Open the SCEPman portal and copy the URL under Intune MDM
- Create a profile for Windows 10 and later with type SCEP certificate in Microsoft Intune
- Configure the profile as described:
SCEPman uses the CN field of the subject to identify the device and as a seed for the certificate serial number generation. Azure AD and Intune offer two different IDs:
- {{DeviceId}}: This ID is generated and used by Intune (Recommended) (requires SCEPman 2.0 or higher and AppConfig:IntuneValidation:DeviceDirectory to be set to Intune or AADAndIntune)
- {{AAD_Device_ID}}: This ID is generated and used by Azure AD.\
You can add other RDNs if needed (e.g.:
CN={{DeviceId}}, O=Contoso, CN={{WiFiMacAddress}}). Supported variables are listed in the Microsoft docs.The URI field is recommended by Microsoft for NAC solutions to identify the devices based on their Intune Device ID.
Other SAN values like DNS can be added if needed.
The amount of time remaining before the certificate expires. Default is set at one year.
SCEPman caps the certificate validity to the configured maximum in setting AppConfig:ValidityPeriodDays, but otherwise uses the validity configured in the request.
This setting determines the storage location of the private key for the end-user certificates. Storage in the TPM is more secure than software storage because the TPM provides an additional layer of security to prevent key theft.
Note: There is a bug in some older TPM firmware versions that invalidates some signatures created with a TPM-backed private key. In such cases, the certificate cannot be used for EAP authentication as it is common for Wi-Fi and VPN connections. In addition, this might break your Autopilot onboarding process.
Affected TPM firmware versions include:
- STMicroelectronics: 71.12, 73.4.17568.4452, 71.12.17568.4100
- Intel: 11.8.50.3399, 2.0.0.2060
- Infineon: 7.63.3353.0
If you use TPM with this firmware, either update your firmware to a newer version or select "Software KSP" as a key storage provider.
Please activate both cryptographic actions.
SCEPman automatically sets the Key usage to Digital signature and Key encipherment and overrides the setting here unless the setting AppConfig:UseRequestedKeyUsages is set to true.
This value defines when the device is allowed to renew its certificate (based on the remaining lifetime of an existing certificate). Please read the note under Certificate validity period and select a suitable value that allows the device the renew the certificate over a long period. A value of 20% would allow the device with 1 year valid certificate to start renewal 73 days before expiration.
Example
https://scepman.contoso.com/certsrv/mscep/mscep.dll
- Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile.
You can define RDNs based on your needs. Supported variables are listed in the Microsoft docs. We recommend to include the username (e.g.: janedoe) and email address (e.g.: [email protected]) as baseline setting.
You must add the User principal name as the Subject alternative name. Add '{{UserPrincipalName}}' as Subject Alternative Name of type User principal name (UPN). This ensures that SCEPman can link certificates to user objects in AAD. The setting for 'Subject name format' is freely selectable.
Other SAN values like an Email address can be added if needed.
You may use SCEPman for transnational digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration.
Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages later.
- You must set these configuration variables otherwise the requested key usage and extended validity period in the SCEP profile are not honored by SCEPman:
To deploy user certificates used for Digital Signatures please follow the instructions of #User certificates and take care of the following differences and notes:
We recommend setting Renewal Threshold (%) to a value that ensures certificates are renewed at least 6 months before expiration when issuing S/MIME signature certificates. This is because emails signed with expired certificates are shown to have invalid signatures in Outlook, which confuses users. Having a new certificate long before the old one expires ensures that only older emails show this behavior, which users are more unlikely to look at. For example, if your signature certificates are valid for one year, you should set the Renewal Threshold to at least 50 %.
After a successful profile sync, you should see the user certificate for Intended Purposes Secure Email
.png?alt=media)
The certificate will be available for Digital Signature usage in e.g. Outlook. Below is an example of the usage
Once you have deployed S/MIME signature certificates to your client machines, you must configure Outlook to use these certificates before sending signed emails. You can do this manually or use our PowerShell Script to configure Outlook.
You can sign emails with S/MIME in Outlook on the Web using certificates from your local Windows machine. You need to enable this with the following command:
Set-SmimeConfig -OWAAllowUserChoiceOfSigningCertificate $true
See https://learn.microsoft.com/en-us/powershell/module/exchange/set-smimeconfig for more details.
Last modified 10d ago