General

How can I programmatically query the Storage Account Table?

For some use cases, it might be necessary to query the storage account table directly. This can be done manually using the Azure Storage Explorer or programmatically using the Azure Storage Rest API. Assign the Storage Table Data Reader role to the account you are using. Here is an example of a query that returns all certificates in the Storage Account expiring in the next 30 days:

$SCEPManStorageAccountName = "stgscepmanabc"  # Insert your SCEPman Storage Account name here
$expiresBefore = (Get-Date).AddDays(30).ToString("yyyy-MM-ddTHH:mm:ssZ")  # Find all certificates that expire before this date
$now = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")                        # and                   that expire after this date

$certificatesJson = az storage entity query --table-name Certificates --account-name $SCEPManStorageAccountName --auth-mode login --filter "ExpirationDate lt datetime'$expiresBefore' and ExpirationDate gt datetime'$now' and Revoked eq false"
$certificates = $certificatesJson | ConvertFrom-Json

$certificates.items | Select-Object -Property Subject,Requester,ExpirationDate,FQDNs

The Azure CLI must be installed on the machine where the query is run, and it must be logged on to the right account and subscription. This is automatically the case for an Azure Cloud Shell.

Can I move SCEPman resources to another Azure subscription?

Technically it is feasible, but neither recommended nor supported from our side. The main breaking change is moving the Key Vault. See Azure Key Vault moving a vault to a different subscription | Microsoft Learn

If it's still necessary, we strongly recommend deploying a new SCEPman instance and migrating to the specified use case.

Migration example

Use-Case: SCEPman certificates for network authentication (e.g. RADIUSaaS)
SSID remains the same

Part 1 - Preparation

Deploy a new SCEPman instance.
Push the root CA certificate of the new SCEPman instance to all endpoints.
Issue new client certificates via SCEP to all endpoints.
Add the root certificate of the new SCEPman instance to the trusted root store of RADIUSaaS.
Once all endpoints have received the new root and client certificates (via SCEP), schedule a migration for day x.

Part 2: Execution

On the migration day (ensure all devices are powered on and connected to the network):

Add the new SCEP certificate profile (step 3 in Preparation) to the list of Client certificates for client authentication in the existing WiFi profile.
Trigger an Intune sync on all devices.

Part 3: Clean-up

Ensure that all endpoints are synced and have received both new profiles and updates to the WiFi profile.
Uninstall the old SCEPman by deleting the resource group it resides in.
Remove the old SCEP client certificate profile from the list of Client certificates for client authentication in the WiFi profile.
Remove the profiles from Intune that are related to the old SCEPman instance (trusted root, SCEP device cert).
Remove the old SCEPman Root CA certificate from the trust list on RADIUSaaS.

How to restrict public access to the SCEPman homepage?

The SCEPman homepage does not include any sensitive information, and attackers cannot leverage the available data for malicious purposes.

However, If you prefer to hide the homepage from public access, you can do it using the setting AppConfig setting: AnonymousHomePageAccess

Please ensure to restart the SCEPman App Service after adding the setting.

How to change SCEPman RootCA Subject?

By changing the CA Subject, you must issue a new Root CA and deploy it to all users, AND deploy all client/device certificates again. The old certificates are then no longer valid.

If you do not have a problem with that please follow the steps below to change the CA subject

Navigate to your SCEPman App Service configuration
Change the CN value of the setting AppConfig:KeyVaultConfig:RootCertificateConfig:Subject to the new subject name you want
It is also recommended to change the value of the setting AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName to the new subject name, however, this is only visible in Azure KeyVault and not on the certificate itself.

The name does not appear in the certificate itself and is only a reference to the CA certificate within Azure Key Vault. As it is part of the URL, there are name restrictions, like limitations to alphanumeric characters, numbers, and dashes. Spaces are not allowed

After changing both values, save and restart the App Service
Navigate to your SCEPman homepage and issue a new RootCA as described here
Download the new RootCA and upload it to your Profile, then re-deploy the client certificates again to get the new subject

How to view SCEP certificates in Intune?

In order to view SCEPman issued certificates in Intune, navigate to certificates in Intune Monitor module:

Intune -> Devices -> Monitor -> Certificates

There you will find a list of all issued certificates with details like device name, user name, thumbprint, serial number, subject name, issuance date, expiry date, and certificate status.

For a more comprehensive view of the certificates along with additional actions, review the certificates in Certificate Master.

PreviousFAQs NextSecurity & Privacy

Last updated 1 month ago