SCEPmanClient
Last updated
Was this helpful?
Last updated
Was this helpful?
SCEPmanClient is a PowerShell module intended to interact with SCEPmans REST API. Being platform independent and compatible with Windows PowerShell v5, you can use this module to request certificates for all use cases the REST API can be used for:
Automatic issuance of server certificates
Client certificates for unmanaged devices
Enrollment of certificates to Linux devices
The SCEPmanClient module is available from the PowerShell Gallery and can be installed using the following command:
For the module to be functioning as expected you will need to add a small modification to your SCEPman deployment:
Add SCEPman's App Service URL: Navigate to the Branding & Properties
section of the app registration. Add SCEPman's App Service URL to the Home page URL field:
This is required for the module to be able to automatically look up the App Registrations client id that is needed for access token retrieval.
In the App Registration, navigate to Expose an API and create a custom scope that can be used to authorize the client Id 1950a258-227b-4e31-a9cf-717495945fc2
(Microsoft Azure PowerShell)
After creating an API scope, the Azure PowerShell application can be authorized:
SCEPman has different roles that will allow different kinds of certificates to be enrolled. You can assign those in the SCEPman-api (default name) Enterprise Application:
This role is only assignable to service principals (App Registrations for example) by default and allows to request certificates with arbitrary subjects and usages.
This role can be assigned to users and will allow certificates to be enrolled with the following restrictions:
Only ClientAuth EKU
User certificates need to match the users UPN in either the subject or UPN subject alternative name
Device certificates need to have a subject or SAN that SCEPman can map to a device object owned by the authenticated user
When requesting a new certificate without specifying the authentication mechanism, the user will be authenticated interactively by default. By using the -SubjectFromUserContext
parameter, the certificate's subject and UPN SAN will be automatically populated based on the logged-in user's context:
If you want to request a new certificate on a system without any desktop environment you can use the -DeviceCode
parameter to perform the actual authentication on another session:
In fully automated scenarios an App Registration can be used for authentication. Inferring the subject from the authenticated context will not be possible in this case.
Parameter splatting will also make the execution more readable:
Once a certificate has been issued using an authenticated context we can use it to renew it without providing any context again.
Interacting with keystores is only possible on Windows
When providing the CertificateBySubject
parameter, the module will automatically try find a suitable certificate for renewal in the CurrentUser and LocalMachine keystores.
The entered value will be regex matched against the subjects in all available certificates.
On Linux system a certificate renewal can be performed by passing the paths of the existing certificate and its private key.
When using an encrypted private key you will asked for the password. You can also directly pass the keys password using the PlainTextPassword
parameter.
With SSL Profiles enabled, the WAF will terminate the TLS connections. This will in turn break certificate renewals using EST as the procedure relies on mTLS for authentication. In this case the UseSCEPRenewal
parameter can be used to instead perform a certificate renewal complying with the SCEP protocol.
Please note that this requires additional SCEPman configuration regarding the static SCEP endpoint:
AppConfig:StaticValidation:Enabled : true
AppConfig:StaticValidation:AllowRenewals : true
AppConfig:StaticValidation:ReenrollmentAllowedCertificateTypes: Static (Depending on the types intended for renewal)
Required for certificate renewal
Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to Optional.
Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!
In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.
Required for certificate enrollment and renewal
Set this variable to true to enable the validation of certificate signing requests (CSRs).
Required for certificate renewal
Set this variable to true to enable certificate renewals.
Required for certificate renewal
Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.
Example: Static,IntuneUser,IntuneDevice