General
Last updated
Was this helpful?
Last updated
Was this helpful?
To upgrade a Community Edition to an Enterprise Edition you have to add the license key in the app settings. How this works is explained in the following chapter:
Navigate to App Services.
Then choose your SCEPman app.
Next under Settings click Environment variables.
Select AppConfig:LicenseKey.
Under Value, enter your license key.
Then, Save the settings, and under Overview, restart your App Service.
After the restart, your SCEPman instance homepage will show Enterprise Edition.
Ensure that your SCEPman instance homepage shows on the left side that the Storage Account is connected (green bubble). If there are connection issues, the bubble will be red, and your OCSP responder will not work.
For some use cases, it might be necessary to query the storage account table directly. This can be done manually using the Azure Storage Explorer or programmatically using the Azure Storage Rest API. Assign the Storage Table Data Reader
role to the account you are using. Here is an example of a query that returns all certificates in the Storage Account expiring in the next 30 days:
The Azure CLI must be installed on the machine where the query is run, and it must be logged on to the right account and subscription. This is automatically the case for an Azure Cloud Shell.
If you are using a Private Endpoint for the Storage Account, you need to add your client's IP address to the exception list in the Networking pane of the Storage Account.
The SCEPman homepage does not include any sensitive information, and attackers cannot leverage the available data for malicious purposes.
However, If you prefer to hide the homepage from public access, you can do it using the setting AppConfig setting: AnonymousHomePageAccess
Please ensure to restart the SCEPman App Service after adding the setting.
By changing the CA Subject, you must issue a new Root CA and deploy it to all users, AND deploy all client/device certificates again. The old certificates are then no longer valid.
If you do not have a problem with that please follow the steps below to change the CA subject
Navigate to your SCEPman App Service configuration
Change the CN value of the setting AppConfig:KeyVaultConfig:RootCertificateConfig:Subject
to the new subject name you want
It is also recommended to change the value of the setting AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName
to the new subject name, however, this is only visible in Azure KeyVault and not on the certificate itself.
After changing both values, save and restart the App Service
Navigate to your SCEPman homepage and issue a new RootCA as described here
Download the new RootCA and upload it to your Profile, then re-deploy the client certificates again to get the new subject
In order to view SCEPman issued certificates in Intune, navigate to certificates in Intune Monitor module:
Intune -> Devices -> Monitor -> Certificates
There you will find a list of all issued certificates with details like device name, user name, thumbprint, serial number, subject name, issuance date, expiry date, and certificate status.
For a more comprehensive view of the certificates along with additional actions, review the certificates in Certificate Master.
The SCEPman Root CA has an expiry of 10 years. Once expired, SCEPman will need to be re-deployed and there is currently no method to extend the expiry past 10 years or to renew the existing Root CA. A redeployment has the advantage that the new Root CA will live up to the security standards (key size, algorithms etc.) that are relevant to that time in the future.