Windows

The following article describes how to deploy a device or/and user certificates for Windows devices. The deployment of the SCEPman Root Certificate is mandatory. Afterward, you can choose between deploying only device, user or even both certificate types.
Root Certificate
The basis for deploying SCEP certificates is to trust the public root certificate of SCEPman. Therefore, you have to download the CA Root certificate and deploy it as a Trusted certificate profile via Microsoft Intune:
Download the CA Certificate from SCEPman portal:
Create a profile for Windows 10 and later with type Trusted certificate in Microsoft Intune:
Upload your previously downloaded .cer file.
Now you can deploy this profile to your devices. Please choose All Users and/or All Devices or a dedicated group for assignment.
Note that you have to use the same group for assigning the Trusted certificate and SCEP profile. Otherwise, the Intune deployment might fail.
Device Certificates
Open the SCEPman portal and copy the URL under Intune MDM
Create a profile for Windows 10 and later with type SCEP certificate in Microsoft Intune
Configure the profile as described:
Certificate type: Device
Subject name format: CN={{DeviceId}} or CN={{AAD_Device_ID}}
Subject alternative name: (URI)Value: IntuneDeviceId://{{DeviceId}}
Certificate validity period: 1 year
Key storage provider (KSP): Enroll to Trusted Platform Module (TPM) KSP, otherwise fail
Key usage: Digital signature and Key encipherment
Key size (bits): 2048
Hash algorithm: SHA-2
Root Certificate: Profile from previous step (Root certificate Profile)
Extended key use: Client Authentication, 1.3.6.1.5.5.7.3.2
Renewal threshold (%): 20
SCEP Server URLs: Open the SCEPman portal and copy the URL of Intune MDM​
Example
Now you can deploy this profile to your devices. Please choose the same group/s for assignment as for the Trusted certificate profile.
User Certificates
Please follow the instructions of #Device certificates and take care of the following differences:
Certificate type: User
Subject name format: CN={{UserName}},E={{EmailAddress}}
Subject alternative name:  (UPN)Value:  {{UserPrincipalName}}
Example
User Digital Signature Certificate
You may use SCEPman for transnational digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration.
Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages later.
You must set these configuration variables otherwise the requested key usage and extended validity period in the SCEP profile are not honored by SCEPman:
​AppConfig:UseRequestedKeyUsages set to true
​AppConfig:ValidityPeriodDays set to 365 (a maximum value of 1825 - 5 years is possible)
To deploy user certificates used for Digital Signatures please follow the instructions of #User certificates and take care of the following differences and notes:
Subject alternative name
Key usage: only Digital signature
Extended key usage: Secure Email (1.3.6.1.5.5.7.3.4)
Renewal Threshold (%): 50
Example
After a successful profile sync, you should see the user certificate for Intended Purposes Secure Email
The certificate will be available for Digital Signature usage in e.g. Outlook. Below is an example of the usage
​
​

Certificate Deployment - Previous

Microsoft Intune

macOS

Last modified 9d ago

Copy link

Edit on GitHub

Outline

Root Certificate

Device Certificates

Example

User Certificates

Example

User Digital Signature Certificate

Example