Unmanaged Linux Client
SCEPman Enterprise Edition only
This method can be used to enroll certificates for users and devices that are unmanaged or managed by an MDM other than Intune.
Prerequisites
1. Self Service Enrollment
To enroll certificates, users must be authenticated to verify their eligibility. Follow this guide for step-by-step instructions on how to set this up
Self Service Enrollment2. App Service Settings
Configuration
Required for certificate renewal
Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to Optional.
Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!
Environment Variables
In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.
Required for certificate enrollment and renewal
Set this variable to true to enable the validation of certificate signing requests (CSRs).
Required for certificate renewal
Set this variable to true to enable certificate renewals.
Required for certificate renewal
Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.
Example: Static,IntuneUser,IntuneDevice
This scenario will enroll certificates of the type IntuneUser.
Powershell Module SCEPmanClient
Initial Requests
You can use the SCEPmanClient PowerShell module to request certificates on your Linux device:
New-SCEPmanCertificate -Url 'scepman.contoso.com' -SubjectFromUserContext -SaveToFolder '~/certs/'The user will then need to interactively login in a browser session and a certificate for their logged in account will be created.
Certificate Renewal
You can also use the PowerShell module to renew already existing certificates. This will also spare the requirement to use a service principal for authentication:
$Parameters = @{
'CertificateFromFile' = '~/certs/[email protected]'
'KeyFromFile' = '~/certs/[email protected]'
'SaveToFolder' = '~/certs/'
}
New-SCEPmanCertificate @ParametersEnrollment and Renewal Script
If the PowerShell module is not an option for you, the enrollrenewcertificate.sh script can be used to initially receive a certificate as well as to verify it and attempt a renewal in case it is about to expire.
Client Prerequisites
The following prerequisites must be present on the executing client/host to be able to use the Enrollment REST API.
Azure CLI ( version 2.61 and above)
The Azure CLI is used to authenticate the enrolling user to check their eligibility and to retrieve the access token.
cURL
Used to send the created CSR to the SCEPman Enrollment API Endpoint and receive certificate.
OpenSSL
OpenSSL is used to generate a private key and create a CSR for enrolling or renewing a certificate.
Example:
./enrollrenewcertificate.sh -u https://scepman.contoso.net/ api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll ~/certs/ "myCertificate" "myKey" 301. Command
Defines the behavior of the script
Can be any of:
-u for user certificate with auto-detection whether it is an initial enrollment or renewal
-d for device certificate with auto-detection whether it is an initial enrollment or renewal
-r for renewal
-w for initial enrollment of a user
-x for initial enrollment of a device
If you are enrolling or renewing a device certificate the DeviceId will be tried to read from ~/.config/intune/registration.toml by default and the authenticated user will need to match the owner of the object in the configured DeviceDirectory
2. App Service URL
The URL of the SCEPman app service.
Example: "https://scepman.contoso.net/"
3. API_SCOPE
This is the API scope you can create in the SCEPman-api app registration in your environment.
The user will be presented with your desired consent dialog and can afterwards user the self service functionality.
Example: "api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll"
4. Certificate Directory
The directory the certificate will be created or tried to be renewed.
Example: ~/certs/
5. Certificate Filename
The filename (without extension) of the certificate that will be created or read for renewal.
Example: "myCertificate"
6. Private Key Filename
The filename of the private key that will be created or read for renewal.
Example: "myKey"
7. Renewal Threshold
The amount of days the certificate will need to expire in for the script to begin the renewal process.
Example: 30
Considerations
This script does not encrypt the generated keys (this requires passphrase input, so encryption has been omitted to allow for automatic renewal.)
If you are renewing passphrase-protected certificates from Certificate Master, you will need to input this passphrase in order to renew them.
Set up automatic renewal
When the above bash script is run and detects that a certificate has already been enrolled, it will renew the certificate (if it is close to expiry) using mTLS. If the script is run regularly, this will ensure the certificate is renewed when it gets close to expiry. You can set up a cronjob to achieve this. The below command is an example of how this could be done. It will set up a cronjob to run the command daily (if the system is powered on) and a cronjob to run the command on reboot.
(crontab -l ; echo @daily /path/to/enrollrenewcertificate.sh -u https://scepman.contoso.net/ api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll /home/user/certs/ "myCertificate" "myKeyName" 30 ; echo @reboot /path/to/enrollrenewcertificate.sh -u https://scepman.contoso.net/ api://b7d17d51-8b6d-45eb-b42b-3dae638cd5bc/Cert.Enroll /home/user/certs/ "myCertificate" "myKeyName" 30 ) | crontab -Since commands run by Cron will not necessarily be run from the directory that the script/certificates are in, it is important to provide the absolute paths to the script/certificates.
Last updated
Was this helpful?