LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • What is SCEP?
  • What is SCEPman?
  • SCEPman Workflow
  • SCEPman Features
  • SCEPman OCSP (Online Certificate Status Protocol)

Was this helpful?

Details

Last updated 3 months ago

Was this helpful?

What is SCEP?

Usually when it is necessary to deploy certificates to (mobile) devices, (SCEP) is the first choice. But what is SCEP? SCEP is an standard protocol. An Internet draft contains technical specifications and technical information. Internet drafts are often published as a .

SCEP is originally developed by Cisco. The core mission of SCEP is the deployment of certificates to network devices without any user interactions. With the help of SCEP, network devices can request certificates on their own.

What is SCEPman?

If you use SCEP in a 'traditional way' you need a number of on-premises components. Microsoft Intune and solutions ) to issue and validate certificates using SCEP.

To get rid of the on-premises components we developed SCEPman.

SCEPman issues certificates that are intended for authentication and transport encryption. That said, you can deploy user and device certificates used for network authentication, WiFi, VPN, RADIUS and similar services.

You may use SCEPman for transactional digital signatures i.e. for S/MIME signing in Microsoft Outlook. If you plan to use the certificates for message signing you need to add the corresponding extended key usages in the Intune profile configuration. Please keep in mind that SCEPman certificates are trusted in your organization only. SCEPman does not issue publicly trusted certificates.

Do not use SCEPman for email-encryption i.e. for S/MIME mail encryption in Microsoft Outlook (without a separate technology for key management). The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. If you would use SCEP for email-encryption you may lose the keys to decrypt the messages at a later time.

SCEPman Workflow

Here's an overview about the SCEPman workflow when using Intune as MDM solution (the flows are similar for other MDM solutions). The first figure shows the certificate issuance and the second figure shows the certificate validation.

Process of certificate issuance:

Process of certificate validation during certificate-based authentication:

SCEPman Features

SCEPman is an Azure Web App with the following features:

  • SCEPman provides certificates signed by a CA root key stored in Azure Key Vault.

  • A full replacement of Legacy PKI in many scenarios.

SCEPman creates the CA root certificate during the initial installation. However, if for whatever reason an alternative CA key material shall be used it is possible to replace this CA key and certificate with your own in Azure Key Vault. For example, if you want to use a Sub CA certificate signed by an existing internal Root CA.

Certificate Master

SCEPman OCSP (Online Certificate Status Protocol)

A SCEP interface that is compatible with the Intune in particular.

SCEPman contains an OCSP responder (see below) to provide in real-time

Certificate Master allows customers to (manually) issue certificates in scenarios where an automatic enrollment via SCEP / MDM is not possible. Common examples are the issuance of or user certificates for . Furthermore, with Certificate Master, administrators can any certificate issued by SCEPman, whether they were automatically enrolled through SCEP via Intune, Jamf and other MDMs, EST, the or manually via Certificate Master UI itself.

The is an Internet protocol which is in use to determine the state of a certificate.

Usually, an OCSP client sends a status request to an OCSP responder. An OCSP responder verifies the validity of a certificate based on revocation state or other mechanisms. In comparison to a certificate revocation list (CRL), that SCEPman supports as well, an OCSP response is always up-to-date and the response is available within seconds. A CRL has the disadvantage that it is based on a database that must refresh manually and may weigh a lot of data. Read a detailed comparison of these revocations mechanisms

SCEP API
Certificate Master
Online Certificate Status Protocol (OCSP)
in an article in our company blog.
Simple Certificate Enrollment Protocol
Internet draft
Request for Comments
allow third-party certificate authorities (CA
TLS server certificates
smart cards / YubiKeys
manage
Enrollment REST API
certificate validity / auto-revocation
other Mobile Device Management (MDM)
Enterprise Edition