LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
      • Scenarios
        • Certificate-based Network Authentication
        • Certificate-based Authentication for Entra ID
        • Certificate-based Authentication for RDP
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • TLS Inspection (Sub CA) Certificate
      • Code Signing Certificate
      • Device Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
      • cleverbridge
    • FAQs
      • General
      • Certificate Connector
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • Issuing a Server Certificate using a Certificate Signing Request
  • Issuing a Server Certificate using the Form

Was this helpful?

  1. Certificate Management
  2. Certificate Master

TLS Server Certificate

Last updated 1 month ago

Was this helpful?

SCEPman Enterprise Edition only

You can generate X.509 server certificates including a private key via the SCEPman Certificate Master Web UI. This option allows you to easily generate a TLS certificate for multiple domain names. These certificates can then be used for web servers to enable communication via HTTPS or directory servers to enable LDAPS. Furthermore, they can be used on Active Directory Domain Controllers, but for Domain Controllers, you also have the option to issue special Domain Controller Certificates, which in turn can be used for LDAPS.

Be aware that once you navigate away from this page, the password will no longer be accessible.

Issuing a Server Certificate using a Certificate Signing Request

Submit a Certificate Signing Request (CSR) obtained from your appliance or server or created with an external tool like OpenSSL.

  1. Paste a plaintext Certificate Signing Request OR paste a CSR file.

  2. Submit and download the Server Certificate.

Issuing a Server Certificate using the Form

This form allows you to create a key pair (private and public key) and associated certificate and download it in a password-protected file. You can copy the file to your server or appliance and install it using the password supplied on this page.

Please enter the DNS names over which clients can access your server. They must match, so the clients can establish a TLS connection (like HTTPS/LDAPS/FTPS) without warning. The first Subject Alternative Name (SAN) constitutes the Common Name (CN) of the certificate's subject.

  1. Navigate to New Server Certificate in the SCEPman Certificate Master top menu

  2. Enter all Fully Qualified Domain Names (FQDNs) that the certificate shall be valid for separated by commas, semicolons, or line breaks. These entries will be added as DNS entries to the Subject Alternative Names extension of the certificate.

  3. Hit Submit once you have entered all domain names and the browser will automatically download the certificate with the private key in PKCS#12/PFX format after the certificate was issued a few seconds later. The PKCS#12 file is encrypted with the password shown on the screen. You can import the PKCS#12 directly to the system where it is needed using the password.

Optionally, for mutual authentication scenarios (e.g. mTLS), you can select to include the Client Authentication EKU in the certificate.

Some systems can import a certificate with the private key, but do not accept PKCS#12. You can convert the PKCS#12 file to other formats using standard tools like OpenSSL. For example, if your target system requires a PEM file with the certificate and private key, you may use this command:

openssl pkcs12 -in INFILE.p12 -out OUTFILE.crt
Submit a CSR for a Server Certificate