# Self Service Enrollment

{% hint style="info" %}
Applicable to SCEPman version 2.9 and above
{% endhint %}

For clients to enroll certificates for themselves without SCEP, they can use the SCEPman REST API. However, they should not be able to enroll any arbitrary certificate, only certificates that are tied to their own identity. Therefore, the SCEPman API has a role that can be assigned to users/groups to enable this.

## Prerequisites

* This role is included from SCEPman 2.9 onwards. If you installed SCEPman prior to this, you need to run the [installation script](https://docs.scepman.com/scepman-deployment/permissions/post-installation-config#running-the-scepman-installation-cmdlet) again for this role to appear.

## Assigning Self Service Permissions

You can check that the Self Service role exists in the SCEPman-api App Registration:

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FNKRfCaiolQQRMoVZ4KIu%2Fimage.png?alt=media&#x26;token=0237fecc-2935-47a5-8e06-39cb7ca2b772" alt=""><figcaption></figcaption></figure>

You can create role assignments for users and groups in the SCEPman-api Enterprise Application.&#x20;

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FsTrrI2sHpugkm3U5fx6v%2Fimage.png?alt=media&#x26;token=23f31d76-bc00-418d-92c9-77274dddc286" alt=""><figcaption></figcaption></figure>

## Certificate Enrollment Requests

A user with the self-service role can only enroll certificates with the following attributes. (These are the same as the attributes you would select when enrolling certificates via a SCEP profile in [Intune ](https://docs.scepman.com/certificate-management/microsoft-intune)for instance). The certificate's validity will be tied to the device object in Intune or Entra Id or to the user object in Entra Id, analogously to Intune-enrolled certificates.

{% hint style="info" %}
If you are using the pre-supplied enrollment script from our [Section Use Cases](https://docs.scepman.com/use-cases), it will automatically generate a request according to these requirements.
{% endhint %}

### Device Certificates

Either the Subject Alternative Name (SAN) must include `IntuneDeviceID://<IntuneDeviceId>` as an URI, where `<IntuneDeviceId>` without the curly braces is the Device Id of the device in Intune. Or the CN field of the Subject must be the Entra ID device ID or the Intune Device Id.

<table><thead><tr><th width="223">Field</th><th>Value</th></tr></thead><tbody><tr><td>Subject</td><td><code>CN=&#x3C;AAD_Device_Id></code> or <code>CN=&#x3C;DeviceId></code>, where the device is one owned by the user.</td></tr><tr><td>SAN (URI)</td><td><code>IntuneDeviceId://&#x3C;IntuneDeviceId></code></td></tr><tr><td>Basic Constraints</td><td><code>Subject Type=End Entity</code></td></tr><tr><td>EKUs</td><td><code>Client Authentication, 1.3.6.1.5.5.7.3.2</code></td></tr></tbody></table>

### User Certificates

<table><thead><tr><th width="221">Field</th><th>Value</th></tr></thead><tbody><tr><td>Subject</td><td><code>CN=&#x3C;DisplayName></code></td></tr><tr><td>SAN (Other Name/UPN)</td><td><code>&#x3C;UserPrincipalName></code></td></tr><tr><td>Basic Constraints</td><td><code>Subject Type=End Entity</code></td></tr><tr><td>EKUs</td><td><code>Client Authentication, 1.3.6.1.5.5.7.3.2</code></td></tr></tbody></table>