# Addigy SCEPman can be integrated with [Addigy](https://addigy.com/) as an External Certificate Authority (CA) using SCEPman's static interface. With a configured challenge password, enrolled devices will be able to request and obtain certificates. For more general information about other MDM solutions and SCEPman integration, please check [here](/certificate-management/static-certificates.md). ## Enable Addigy Integration Integration of SCEPman can be easily enabled via the following environment variables on SCEPman App Service: {% hint style="info" %} You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service **without** the "-cm" in its name {% endhint %} | Setting | Description | Value | | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------: | | [AppConfig:StaticValidation:Enabled](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-enabled) | Enable 3rd-party validation | ***true*** to enable, ***false*** to disable | | [AppConfig:StaticValidation:RequestPassword](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-requestpassword) |

Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password

Recommendation: Store this secret in Azure KeyVault.

| *generate a 32 character password* | | [AppConfig:StaticValidation:ValidityPeriodDays](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-validityperioddays) (optional) | Days certificates issued via Addigy are valid | 365 | | [AppConfig:StaticValidation:EnableCertificateStorage](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-enablecertificatestorage) (optional) | Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master | ***true*** to enable, ***false** to disable* | {% hint style="warning" %} After adding or editing SCEPman configuration parameters, you need to restart the App Service. {% endhint %} ## Addigy Configuration ### SCEPman Root Certificate As a first step, SCEPman root certificate must be deployed. To do so, download the RootCA certificate via the SCEPman website: ![SCEPman Website](/files/EfcGLtpCiY5X1RgElPgt) Now convert the .cer root certificate to PEM format in order to upload it to Addigy. You can use the following OpenSSL command for that: ``` openssl x509 -inform der -in scepman-root.cer -out SCEPman-Root-Certificate.pem ``` In Addigy, navigate to **Profiles** and create a new MDM profile, choose **Certificates - (PKCS12)** as Profile Type to upload SCEPman RootCA and upload the PEM format file.
### SCEP Profile The second step is to create a new **SCEP Profile** for device certificate deployment as below: * **Payload Name:** Choose a name for the profile, this will appear as a certificate profile on the client. * **URL**: The static SCEP endpoint of SCEPman that you configured in a previous step, you can get it from SCEPman homepage, see below:
* **Challenge**: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the [value](/scepman-configuration/application-settings/scep-endpoints/static-validation.md#appconfig-staticvalidation-requestpassword) of the setting *AppConfig:StaticValidation:RequestPassword* that you previously configured. * Enable the **"Proxy SCEP Requests"** option * Choose "Signing & Encryption" for **Key Usage** * Fill out the rest as shown in the screenshots below
After successfully creating both the Root CA and Device Certificate profiles, apply them to your policy to deploy the configuration to assigned devices. For more information, please check [Addigy's documentation.](https://support.addigy.com/hc/en-us/articles/4403542430739-Deploying-Certificates) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.scepman.com/certificate-management/static-certificates/addigy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.