# Certificates

{% hint style="info" %}
These settings should only be applied to the SCEPman App Service, not the Certificate Master. Please refer to [SCEPman Settings](/scepman-configuration/application-settings.md).
{% endhint %}

## AppConfig:AddMicrosoftAADExtensions

*Linux: AppConfig\_\_AddMicrosoftAADExtensions*

**Value:** *true* (default) or *false*

**Description:** Shall certificates have the extensions 1.2.840.113556.5.14 (AAD Tenant ID) and 1.2.840.113556.1.5.284.2 (AAD Device ID)?

## AppConfig:AddSidExtension

*Linux: AppConfig\_\_AddSidExtension*

{% hint style="info" %}
Applicable to version 2.5 and above
{% endhint %}

**Value:** *true* or *false* (default)

**Description:** This setting determines whether certificates can have the extension 1.3.6.1.4.1.311.25.2 (user's Security Identifier (SID)). This extension is required to mitigate [Certifried attacks](/other/troubleshooting/certifried.md) if certificates are used for on-prem AD user authentication.

If this is set to false, SCEPman will never issue certificates with this extension. If this is set to true, SCEPman may issue certificates with this extension in two cases:

First, when enrolling user certificates via Intune and the user's AAD object contains a SID in the attribute *OnPremisesSecurityIdentifier*. If the user's AAD object does not contain a SID, for example if it is a cloud-only user, SCEPman will not issue a certificate with this extension. The same applies to the [static-aad endpoint](/scepman-configuration/application-settings/scep-endpoints/staticaad-validation.md).

Second, when enrolling user certificates through other SCEP endpoints and the CSR already contains the extension. Examples are the Static SCEP endpoint and manual certificate requests through Certificate Master.

## AppConfig:ValidityPeriodDays

*Linux: AppConfig\_\_ValidityPeriodDays*

**Value:** *Integer*

**Description:**\
The maximum number of days that an issued certificate is valid. By default, this setting is set to **730 days**. If the setting is not available (older installations of SCEPman) the validity period is **200 days**. SCEPman never issues certificates with a longer validity than the value defined here. There are ways to reduce validity for specific certificates, though.

You can configure shorter validity periods in each SCEP profile in Intune as described in the [Microsoft documentation](https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#modify-the-validity-period-of-the-certificate-template).

{% hint style="warning" %}
iOS/iPadOS and macOS devices ignore the configuration of the validity period via Intune. Therefore, you need to configure this setting in SCEPman if you want to have another validity periods than 200 days for your iOS/iPadOS and macOS devices. Please read [iOS/iPadOS](/certificate-management/microsoft-intune/ios.md) for further details where we recommend a higher value.
{% endhint %}

You can also configure **shorter** validity periods for each SCEP endpoint. By default, the following values are set for each endpoint:

| Endpoint           | Parameter                                                                                                                                                                      | Validity in days     |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------- |
| Intune             | [AppConfig:IntuneValidation:ValidityPeriodDays](/scepman-configuration/application-settings/scep-endpoints/intune-validation.md#appconfig-intunevalidation-validityperioddays) | 365                  |
| Jamf               | \<Not set>                                                                                                                                                                     | 730 (global setting) |
| Static             | \<Not set>                                                                                                                                                                     | 730 (global setting) |
| Certificate Master | \<Not set>                                                                                                                                                                     | 730 (global setting) |

Below image depicts how SCEPman limits the certificate validity period; first on a per-endpoint level and globally afterwards.

<figure><img src="/files/XQf4qmMUGHLXDExK3ZyT" alt=""><figcaption></figcaption></figure>

## AppConfig:ConcurrentSCEPRequestLimit

*Linux: AppConfig\_\_ConcurrentSCEPRequestLimit*

**Value:** Positive *Integer*

**Default:** 50

**Description:** When more SCEP requests arrive at SCEPman, it takes longer for each request to finish. At high request frequencies, e.g. immediately after assigning a SCEP configuration profile to a large number of devices, processing the requests may take so long that the requests time out. The clients will retry their failed requests, which may keep the request frequency above the critical overload level.

With this setting, SCEPman will work only on this number of SCEP requests in parallel. If there are more requests, SCEPman returns HTTP 329 (Too Many Requests). Intune-based clients will retry certificate issuance again later in this case, so usually no request is lost. This ensures that SCEPman can finish requests on time and has a chance to work off the queue.

## AppConfig:ValidityClockSkewMinutes

*Linux: AppConfig\_\_ValidityClockSkewMinutes*

**Value:** Positive *Integer*

**Default:** 1440

**Description:** When SCEPman issues a certificate, its validity will begin 24 hours (1440 minutes) earlier than its issuance date. This is because the client's clock may run slower than SCEPman's and then assume that the certificate is not yet valid. Some platforms immediately discard invalid certificates, even if they became valid a few seconds later.

## AppConfig:UseRequestedKeyUsages

*Linux: AppConfig\_\_UseRequestedKeyUsages*

**Value:** *true* or *false*

**Description:** Should the certificates have the Key Usage and Extended Key Usage (EKU) extensions set as requested, or should SCEPman define them?

**True:** The Key Usage and Extended Key Usage extensions in the certificates are defined by the MDM solution.\
**False:** Key Usage is always *Key Encipherment* + *Digital Signature*. Extended Key Usage is always *Client Authentication*.

{% hint style="warning" %}
iOS/iPadOS devices do not support customized Extended Key Usages (even if configured in the Intune profile and [#appconfig-userequestedkeyusages](#appconfig-userequestedkeyusages "mention") set to **True**). So, their certificates will always have *Client Authentication* as Extended Key Usage.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.scepman.com/scepman-configuration/application-settings/certificates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.