LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page

Was this helpful?

  1. Certificate Management
  2. Certificate Master

Certificate Signing Request (CSR)

Last updated 3 hours ago

Was this helpful?

SCEPman Enterprise Edition only

You can submit a Certificate Signing Request (CSR) in PKCS#10 or CMS format via the SCEPman Certificate Master Web UI. Certificate Master is enabled for all new installations of SCEPman 2.0 or newer. If you upgrade from SCEPman 1.x, you must before you can use Certificate Master. For both fresh installations and upgrades, before you can access SCEPman Certificate Master, you need to to the AAD account used for certificate submission.

Many appliances, web services, and tools offer the option to generate a key pair and a Certificate Signing Request (CSR). The CSR is similar to an X.509 certificate, but lacks the signature of a CA. It does contain a Subject and may contain X.509 extensions like Key Usages, Extended Key Usages, or Basic Constraints. A CA may modify or add any of these properties when issuing a certificate based on a CSR. As an alternative to the CSR, you may with Certificate Master as well.

When submitting a CSR via SCEPman Certificate Master, the Subject is carried over as is to the certificate. The following extensions are carried over:

  • Subject Alternative Names (SANs)

  • Key Usage

  • Extended Key Usage

SCEPman discards any other extensions from the CSR. Some extensions are added to every certificate like Basic Constraints (denoting that it is a leaf certificate), Authority Information Access (AIA), Authority Key Identifier, and Subject Key Identifier.

If you have a CSR at hand, navigate to Submit CSR in the SCEPman Certificate Master top menu. You can copy and paste the CSR in PEM format (i.e. text) into the text box, or drag and drop the CSR file in binary or PEM format into the grey area at the bottom. You may use the Browse link as well to select a CSR file in binary and PEM format. When using the text box, you have to hit the Submit button afterward to issue the certificate, while uploading a CSR file immediately issues the certificate. Your browser will download the certificate in DER-encoded format.

complete the post-installation configuration
generate a certificate including the private key
assign the permissions