# Addigy

SCEPman can be integrated with [Addigy](https://addigy.com/) as an External Certificate Authority (CA) using SCEPman's static interface. With a configured challenge password, enrolled devices will be able to request and obtain certificates.

For more general information about other MDM solutions and SCEPman integration, please check [here](https://docs.scepman.com/certificate-management/static-certificates).

## Enable Addigy Integration

Integration of SCEPman can be easily enabled via the following environment variables on SCEPman App Service:

{% hint style="info" %}
You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service **without** the "-cm" in its name
{% endhint %}

|                                                                                                           Setting                                                                                                          | Description                                                                                                                                                                                                                                                                                               |                     Value                    |
| :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------: |
|                        [AppConfig:StaticValidation:Enabled](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-enabled)                       | Enable 3rd-party validation                                                                                                                                                                                                                                                                               | ***true*** to enable, ***false*** to disable |
|                [AppConfig:StaticValidation:RequestPassword](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-requestpassword)               | <p>Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password<br><br><strong>Recommendation</strong>: Store this secret in <a href="../../../scepman-configuration/application-settings#secure-configuration-in-azure-key-vault">Azure KeyVault</a>.</p> |      *generate a 32 character password*      |
|       [AppConfig:StaticValidation:ValidityPeriodDays](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-validityperioddays) (optional)       | Days certificates issued via Addigy are valid                                                                                                                                                                                                                                                             |                      365                     |
| [AppConfig:StaticValidation:EnableCertificateStorage](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-enablecertificatestorage) (optional) | Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master                                                                                                                                                                                                  | ***true*** to enable, ***false** to disable* |

{% hint style="warning" %}
After adding or editing SCEPman configuration parameters, you need to restart the App Service.
{% endhint %}

## Addigy Configuration

### SCEPman Root Certificate

As a first step, SCEPman root certificate must be deployed. To do so, download the RootCA certificate via the SCEPman website:

![SCEPman Website](https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2Fgit-blob-9170eb0435726398eb43f6fac8abd0d5f35e8cc4%2FSCEPmanHomePage.png?alt=media)

Now convert the .cer root certificate to PEM format in order to upload it to Addigy. You can use the following OpenSSL command for that:

```
openssl x509 -inform der -in scepman-root.cer -out SCEPman-Root-Certificate.pem
```

In Addigy, navigate to **Profiles** and create a new MDM profile, choose **Certificates - (PKCS12)** as Profile Type to upload SCEPman RootCA and upload the PEM format file.

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FRAcvBOaWt0V089lb96aP%2Fimage.png?alt=media&#x26;token=187ce30f-6f6f-4ae0-9b97-cb21713b585b" alt=""><figcaption></figcaption></figure>

### SCEP Profile

The second step is to create a new **SCEP Profile** for device certificate deployment as below:

* **Payload Name:** Choose a name for the profile, this will appear as a certificate profile on the client.
* **URL**: The static SCEP endpoint of SCEPman that you configured in a previous step, you can get it from SCEPman homepage, see below:

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FZHNTUBLUO3y3BHH0R37X%2Fimage.png?alt=media&#x26;token=a4b0d735-167d-41ea-aa32-2c445325a42b" alt=""><figcaption></figcaption></figure>

* **Challenge**: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the [value](https://docs.scepman.com/scepman-configuration/application-settings/scep-endpoints/static-validation#appconfig-staticvalidation-requestpassword) of the setting *AppConfig:StaticValidation:RequestPassword* that you previously configured.
* Enable the **"Proxy SCEP Requests"** option
* Choose "Signing & Encryption" for **Key Usage**
* Fill out the rest as shown in the screenshots below

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FIRC4uYWrileRNfteYpIV%2Fimage.png?alt=media&#x26;token=4b0f0c81-2c16-4b69-9143-5aed25a87477" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2535731700-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LoGejQeUQcw7lqnQ3WX%2Fuploads%2FpKRdVeJYOPm1TUd6c2AY%2Fimage.png?alt=media&#x26;token=3b474821-967f-4b6e-968e-812a66d9edde" alt=""><figcaption></figcaption></figure>

After successfully creating both the Root CA and Device Certificate profiles, apply them to your policy to deploy the configuration to assigned devices.

For more information, please check [Addigy's documentation.](https://support.addigy.com/hc/en-us/articles/4403542430739-Deploying-Certificates)