Addigy

Issue certificates in Addigy by connecting SCEPman as an External CA. Devices will be able to obtain certificates using SCEPman's static interface and a challenge password enrolled.

SCEPman can be integrated with Addigy as an External Certificate Authority (CA) using SCEPman's static interface. With a configured challenge password, enrolled devices will be able to request and obtain certificates.

For more general information about other MDM solutions and SCEPman integration, please check here.

Enable Addigy Integration

Integration of SCEPman can be easily enabled via the following environment variables on SCEPman App Service:

You can differentiate between the SCEPman App Service and the Certificate Master by looking for the App Service without the "-cm" in its name

Setting
Description
Value

Enable 3rd-party validation

true to enable, false to disable

Certificate signing requests sent to SCEPman for signing are authenticated with this secure static password Recommendation: Store this secret in Azure KeyVault.

generate a 32 character password

Days certificates issued via Addigy are valid

365

Store requested certificates in the Storage Account, in order to show them in SCEPman Certificate Master

true to enable, false to disable

Addigy Configuration

SCEPman Root Certificate

As a first step, SCEPman root certificate must be deployed. To do so, download the RootCA certificate via the SCEPman website:

SCEPman Website

Now convert the .cer root certificate to PEM format in order to upload it to Addigy. You can use the following OpenSSL command for that:

openssl x509 -inform der -in scepman-root.cer -out SCEPman-Root-Certificate.pem

In Addigy, navigate to Profiles and create a new MDM profile, choose Certificates - (PKCS12) as Profile Type to upload SCEPman RootCA and upload the PEM format file.

SCEP Profile

The second step is to create a new SCEP Profile for device certificate deployment as below:

  • Payload Name: Choose a name for the profile, this will appear as a certificate profile on the client.

  • URL: The static SCEP endpoint of SCEPman that you configured in a previous step, you can get it from SCEPman homepage, see below:

  • Challenge: Is required to authenticate CSR requests sent to SCEPman's static SCEP interface. It must match the value of the setting AppConfig:StaticValidation:RequestPassword that you previously configured.

  • Enable the "Proxy SCEP Requests" option

  • Choose "Signing & Encryption" for Key Usage

  • Fill out the rest as shown in the screenshots below

After successfully creating both the Root CA and Device Certificate profiles, apply them to your policy to deploy the configuration to assigned devices.

For more information, please check Addigy's documentation.

Last updated

Was this helpful?