LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • How to add a License Key?
  • How to programmatically query the Storage Account Table?
  • How to restrict public access to the SCEPman homepage?
  • How to change SCEPman RootCA Subject?
  • How to view SCEP certificates in Intune?
  • What's the expiry of the SCEPman Root CA? Can it be extended/renewed?

Was this helpful?

  1. Other
  2. FAQs

General

Last updated 11 days ago

Was this helpful?

How to add a License Key?

To upgrade a Community Edition to an Enterprise Edition you have to add the license key in the app settings. How this works is explained in the following chapter:

  1. Navigate to App Services.

  2. Then choose your SCEPman app.

  3. Next under Settings click Environment variables.

  4. Select AppConfig:LicenseKey.

  5. Under Value, enter your license key.

  1. Then, Save the settings, and under Overview, restart your App Service.

  2. After the restart, your SCEPman instance homepage will show Enterprise Edition.

  3. Ensure that your SCEPman instance homepage shows on the left side that the Storage Account is connected (green bubble). If there are connection issues, the bubble will be red, and your OCSP responder will not work.

How to programmatically query the Storage Account Table?

For some use cases, it might be necessary to query the storage account table directly. This can be done manually using the Azure Storage Explorer or programmatically using the Azure Storage Rest API. Assign the Storage Table Data Reader role to the account you are using. Here is an example of a query that returns all certificates in the Storage Account expiring in the next 30 days:

$SCEPManStorageAccountName = "stgscepmanabc"  # Insert your SCEPman Storage Account name here
$expiresBefore = (Get-Date).AddDays(30).ToString("yyyy-MM-ddTHH:mm:ssZ")  # Find all certificates that expire before this date
$now = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")                        # and                   that expire after this date

$certificatesJson = az storage entity query --table-name Certificates --account-name $SCEPManStorageAccountName --auth-mode login --filter "ExpirationDate lt datetime'$expiresBefore' and ExpirationDate gt datetime'$now' and Revoked eq false"
$certificates = $certificatesJson | ConvertFrom-Json

$certificates.items | Select-Object -Property Subject,Requester,ExpirationDate,FQDNs

The Azure CLI must be installed on the machine where the query is run, and it must be logged on to the right account and subscription. This is automatically the case for an Azure Cloud Shell.

If you are using a Private Endpoint for the Storage Account, you need to add your client's IP address to the exception list in the Networking pane of the Storage Account.

How to restrict public access to the SCEPman homepage?

The SCEPman homepage does not include any sensitive information, and attackers cannot leverage the available data for malicious purposes.

However, If you prefer to hide the homepage from public access, you can do it using the setting AppConfig setting: AnonymousHomePageAccess

Please ensure to restart the SCEPman App Service after adding the setting.

How to change SCEPman RootCA Subject?

By changing the CA Subject, you must issue a new Root CA and deploy it to all users, AND deploy all client/device certificates again. The old certificates are then no longer valid.

If you do not have a problem with that please follow the steps below to change the CA subject

  • Navigate to your SCEPman App Service configuration

  • Change the CN value of the setting AppConfig:KeyVaultConfig:RootCertificateConfig:Subject to the new subject name you want

  • It is also recommended to change the value of the setting AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName to the new subject name, however, this is only visible in Azure KeyVault and not on the certificate itself.

The name does not appear in the certificate itself and is only a reference to the CA certificate within Azure Key Vault. As it is part of the URL, there are name restrictions, like limitations to alphanumeric characters, numbers, and dashes. Spaces are not allowed

  • After changing both values, save and restart the App Service

  • Navigate to your SCEPman homepage and issue a new RootCA as described here

  • Download the new RootCA and upload it to your Profile, then re-deploy the client certificates again to get the new subject

How to view SCEP certificates in Intune?

In order to view SCEPman issued certificates in Intune, navigate to certificates in Intune Monitor module:

Intune -> Devices -> Monitor -> Certificates

There you will find a list of all issued certificates with details like device name, user name, thumbprint, serial number, subject name, issuance date, expiry date, and certificate status.

For a more comprehensive view of the certificates along with additional actions, review the certificates in Certificate Master.

What's the expiry of the SCEPman Root CA? Can it be extended/renewed?

The SCEPman Root CA has an expiry of 10 years. Once expired, SCEPman will need to be re-deployed and there is currently no method to extend the expiry past 10 years or to renew the existing Root CA. A redeployment has the advantage that the new Root CA will live up to the security standards (key size, algorithms etc.) that are relevant to that time in the future.