Unmanaged Linux Client

This method can be used to enroll certificates for users and devices that are unmanaged or managed by an MDM other than Intune.

Prerequisites

1. Self Service Enrollment

2. App Service Settings

This scenario will enroll certificates of the type IntuneUser.

Powershell Module SCEPmanClient

Initial Requests

You can use the SCEPmanClient PowerShell module to request certificates on your Linux device:

New-SCEPmanCertificate -Url 'scepman.contoso.com' -SubjectFromUserContext -SaveToFolder '~/certs/'

The user will then need to interactively login in a browser session and a certificate for their logged in account will be created.

Certificate Renewal

You can also use the PowerShell module to renew already existing certificates. This will also spare the requirement to use a service principal for authentication:

$Parameters = @{
    'CertificateFromFile' = '~/certs/john.doe@contoso.com.pem'
    'KeyFromFile'         = '~/certs/john.doe@contoso.com.key'
    'SaveToFolder'        = '~/certs/'
}

New-SCEPmanCertificate @Parameters

Enrollment and Renewal Script

Client Prerequisites

Example:

./enrollrenewcertificate.sh -u https://scepman.contoso.net/ api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll ~/certs/ "myCertificate" "myKey" 30

1. Command

Defines the behavior of the script

Can be any of:

-u for user certificate with auto-detection whether it is an initial enrollment or renewal

-d for device certificate with auto-detection whether it is an initial enrollment or renewal

-r for renewal

-w for initial enrollment of a user

-x for initial enrollment of a device

2. App Service URL

The URL of the SCEPman app service.

Example: "https://scepman.contoso.net/"

3. API_SCOPE

This is the API scope you can create in the SCEPman-api app registration in your environment.

The user will be presented with your desired consent dialog and can afterwards user the self service functionality.

Example: "api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll"

4. Certificate Directory

The directory the certificate will be created or tried to be renewed.

Example: ~/certs/

5. Certificate Filename

The filename (without extension) of the certificate that will be created or read for renewal.

Example: "myCertificate"

6. Private Key Filename

The filename of the private key that will be created or read for renewal.

Example: "myKey"

7. Renewal Threshold

The amount of days the certificate will need to expire in for the script to begin the renewal process.

Example: 30

Considerations

• This script does not encrypt the generated keys (this requires passphrase input, so encryption has been omitted to allow for automatic renewal.)

• If you are renewing passphrase-protected certificates from Certificate Master, you will need to input this passphrase in order to renew them.

Set up automatic renewal

When the above bash script is run and detects that a certificate has already been enrolled, it will renew the certificate (if it is close to expiry) using mTLS. If the script is run regularly, this will ensure the certificate is renewed when it gets close to expiry. You can set up a cronjob to achieve this. The below command is an example of how this could be done. It will set up a cronjob to run the command daily (if the system is powered on) and a cronjob to run the command on reboot.

(crontab -l ; echo @daily /path/to/enrollrenewcertificate.sh -u https://scepman.contoso.net/ api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll /home/user/certs/ "myCertificate" "myKeyName" 30 ; echo @reboot /path/to/enrollrenewcertificate.sh -u https://scepman.contoso.net/ api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll /home/user/certs/ "myCertificate" "myKeyName" 30 ) | crontab -

Since commands run by Cron will not necessarily be run from the directory that the script/certificates are in, it is important to provide the absolute paths to the script/certificates.