LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Prerequisites
  • 1. Service Principal
  • 2. App Service Settings
  • Enrolling certificates
  • Other Examples

Was this helpful?

  1. Certificate Management
  2. Enrollment REST API

API Enrollment

Use this REST API using Microsoft Identities for authentication to enroll certificates as an alternative to the SCEP endpoints that require the SCEP-style of authentication.

Last updated 7 days ago

Was this helpful?

This feature requires version 2.3.689 or above.

SCEPman Enterprise Edition only

SCEPman features a REST API to enroll certificates. This is an alternative to the SCEP endpoints that require the SCEP-style of authentication, while the REST API uses Microsoft Identities for authentication. The protocol is also much simpler than SCEP.

Prerequisites

1. Service Principal

2. App Service Settings

Enrolling certificates

After you have prepared the prerequisites, you can POST a PKCS#10/CMS to your SCEPman with the HTTP path api/csr. The HTTP Response will be the freshly issued certificate in DER encoding.

SCEPman will store all issued certificates automatically in its Storage Account, so you can conveniently list and revoke them via the Certificate Master component.

A convenient method to send those request is our SCEPmanClient PowerShell module:

Other Examples

See our to find out how to use SCEPman's REST API.

SCEPmanClient
Open Source Sample Library on GitHub
1

App Registration

Create a new App Registration that describes your use case. You application will authenticate as this application against SCEPman.

2

API Permission

Assign the required permissions by running the Register-SCEPmanApiClient cmdlet from the SCEPman PowerShell module.

Example: 

Register-SCEPmanApiClient -ServicePrincipalId 830532c6-9f7b-4bc8-8f3e-43443344ab2d

ServicePrincipalId

The Object ID of the complementing Enterprise Application of the App Registration we created in the previous step. Note that this does not refer to the Enterprise Application usually named SCEPman-api, which identifies SCEPman itself.

To manually assign this permission you can navigate to API Permissions and add a permission from the permissions your organization uses. Assign the CSR.Request.Db permission from SCEPman-api as an application permission.

A service principal will also require the Graph permission Application.Read.All to allow automatic retrieval of SCEPmans API scope for authentication.

3

Client Secret

Create a client secret as a password to authenticate the application later.

Configuration

Required for certificate renewal

Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to Optional.

Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!

Environment Variables

In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.

Required for certificate enrollment and renewal

Set this variable to true to enable the validation of certificate signing requests (CSRs).

Required for certificate renewal

Set this variable to true to enable certificate renewals.

Required for certificate renewal

Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.

Example: Static,IntuneUser,IntuneDevice

AppConfig:DbCSRValidation:Enabled
AppConfig:DbCSRValidation:AllowRenewals
AppConfig:DbCSRValidation:ReenrollmentAllowedCertificateTypes