LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Prerequisites
  • Assigning Self Service Permissions
  • Certificate Enrollment Requests
  • Device Certificates
  • User Certificates

Was this helpful?

  1. Certificate Management
  2. Enrollment REST API

Self Service Enrollment

Last updated 3 months ago

Was this helpful?

Applicable to SCEPman version 2.9 and above

For clients to enroll certificates for themselves without SCEP, they can use the SCEPman REST API. However, they should not be able to enroll any arbitrary certificate, only certificates that are tied to their own identity. Therefore, the SCEPman API has a role that can be assigned to users/groups to enable this.

Prerequisites

  • This role is included from SCEPman 2.9 onwards. If you installed SCEPman prior to this, you need to run the again for this role to appear.

Assigning Self Service Permissions

You can check that the Self Service role exists in the SCEPman-api App Registration:

You can create role assignments for users and groups in the SCEPman-api Enterprise Application.

Certificate Enrollment Requests

Device Certificates

Either the Subject Alternative Name (SAN) must include IntuneDeviceID://<IntuneDeviceId> as an URI, where <IntuneDeviceId> without the curly braces is the Device Id of the device in Intune. Or the CN field of the Subject must be the Entra ID device ID or the Intune Device Id.

Field
Value

Subject

CN=<AAD_Device_Id> or CN=<DeviceId>, where the device is one owned by the user.

SAN (URI)

IntuneDeviceId://<IntuneDeviceId>

Basic Constraints

Subject Type=End Entity

EKUs

Client Authentication, 1.3.6.1.5.5.7.3.2

User Certificates

Field
Value

Subject

CN=<DisplayName>

SAN (Other Name/UPN)

<UserPrincipalName>

Basic Constraints

Subject Type=End Entity

EKUs

Client Authentication, 1.3.6.1.5.5.7.3.2

A user with the self-service role can only enroll certificates with the following attributes. (These are the same as the attributes you would select when enrolling certificates via a SCEP profile in for instance). The certificate's validity will be tied to the device object in Intune or Entra Id or to the user object in Entra Id, analogously to Intune-enrolled certificates.

If you are using the pre-supplied enrollment script from our , it will automatically generate a request according to these requirements.

Intune
Section Use Cases
installation script