LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • YubiKey
  • Checklist: Prerequisites
  • Steps

Was this helpful?

  1. Certificate Management
  2. Certificate Master

User Certificate

Last updated 5 months ago

Was this helpful?

SCEPman Enterprise Edition only

This feature requires version 2.4 or above

You can manually generate X.509 user certificates including a private key via the SCEPman Certificate Master Web UI. Those certificates can be used in various certificate-based authentication (CBA) scenarios, for smart cards and email signatures. By default, generated certificates will have the EKU Client Authentication and a Subject Alternative Name (SAN) set to a UPN-type property where the value matches the UPN provided in the UI.

To generate a new User Certificate, navigate to New User Certificate in the SCEPman Certificate Master top menu. Enter a UPN for the certificate and select the required EKUs. Hit Submit and the browser will automatically download the certificate with the private key in PKCS#12/PFX format after the certificate is issued a few seconds later. The PKCS#12 file is encrypted with the password shown on the screen. You can import the PKCS#12 directly to the system where it is needed using the password.

Be aware that once you navigate away from this page, the password will no longer be accessible.

YubiKey

Perform below steps to enroll a smart card certificate to your YubiKey device.

Checklist: Prerequisites

Steps

  1. Open the Certificate Master web portal and click on the + icon

  2. Select New User Certificate

  3. Specify the UPN as per your requirements

  4. Set the Key Length to 2048 bits (YubiKey currently does not support 4096-bit keys).

  5. Select PKCS#12 as Download file format

  6. Select Client Authentication and Smart card Logon from the Extended Key Usages\

  7. Before clicking Submit, ensure to take temporary note of the Password as it will be required when importing the certificate to the YubiKey.

  8. Open the YubiKey Manager

  9. Navigate to Applications > PIV and click Configure Certificates\

  10. Select Authentication (Slot 9a) and click Import

  11. Upload the certificate that was previously generated from Certificate Master and provide the Password.

  12. Set a Management key and click OK\

Certificate Master - New User Certificate