LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • AppConfig:KeyVaultConfig:RootCertificateConfig:AddExtendedKeyUsage
  • AppConfig:KeyVaultConfig:RootCertificateConfig:DaysExpiresIn
  • AppConfig:KeyVaultConfig:RootCertificateConfig:KeySize
  • AppConfig:KeyVaultConfig:RootCertificateConfig:KeyType
  • AppConfig:KeyVaultConfig:KeyVaultURL
  • AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName
  • AppConfig:KeyVaultConfig:RootCertificateConfig:Subject

Was this helpful?

  1. SCEPman Configuration
  2. SCEPman Settings
  3. Dependencies (Azure Services)

Azure KeyVault

Last updated 25 days ago

Was this helpful?

These settings should only be applied to the SCEPman App Service, not the Certificate Master. Please refer to .

AppConfig:KeyVaultConfig:RootCertificateConfig:AddExtendedKeyUsage

Linux: AppConfig__KeyVaultConfig__RootCertificateConfig__AddExtendedKeyUsage

Value: true or false

Description: This setting determines whether SCEPman generates its CA certificates with an Extended Key Usage extension. The extension is not required by the standards, but Cisco ISE sometimes requires it to make OCSP work.

True (default for 1.9 and above): SCEPman adds an Extended Key Usage extension to newly generated CA certificates.

False (default for 1.8 and before): SCEPman generates a CA certificate without Extended Key Usage extension.

AppConfig:KeyVaultConfig:RootCertificateConfig:DaysExpiresIn

Linux: AppConfig__KeyVaultConfig__RootCertificateConfig__DaysExpiresIn

The validity of the generated Root CA certificate in days. Defaults to 3650, i.e. about ten years. We recommend to not reduce this value, as this increases availability risks, with no security advantage -- stopping the distribution of the Root CA certificate is easy and much faster than waiting for the certificate expiration.

Changes can harm your service!

AppConfig:KeyVaultConfig:RootCertificateConfig:KeySize

Linux: AppConfig__KeyVaultConfig__RootCertificateConfig__KeySize

The length of the Root CA key in bits. New installations set this to 4096. If you remove the setting, it will default to 2048. It only applies when generating a new Root CA certificate, though.

Changes can harm your service!

AppConfig:KeyVaultConfig:RootCertificateConfig:KeyType

Linux: AppConfig__KeyVaultConfig__RootCertificateConfig__KeyType

The type of key created for the Root CA. RSA is a software-protected RSA key; RSA-HSM is HSM-protected. If you want to use an ECC key, please contact the SCEPman support for further instructions.

Changes can harm your service!

AppConfig:KeyVaultConfig:KeyVaultURL

Linux: AppConfig__KeyVaultConfig__KeyVaultURL

The Azure Key Vault URL. This setting is automatically configured during the setup.

This setting MUST be in the configuration of your App Service. It is NOT possible to define this setting as a Secret in Azure Key Vault!

Changes can harm your service!

AppConfig:KeyVaultConfig:RootCertificateConfig:CertificateName

Linux: AppConfig__KeyVaultConfig__RootCertificateConfig__CertificateName

The Root Certificate Name. This setting is automatically configured during the setup.

The name does not appear in the certificate itself and is only a reference to the CA certificate within Azure Key Vault. As it is part of the URL, there are name restrictions, like limitations to alphanumeric characters, numbers, and dashes.

Changes can harm your service!

AppConfig:KeyVaultConfig:RootCertificateConfig:Subject

Linux: AppConfig__KeyVaultConfig__RootCertificateConfig__Subject

The Root Certificate Subject. This setting is automatically configured during the setup. It is used only as input at the time of CA certificate creation and will not be used anymore once a CA certificate exists.

Changes can harm your service!

SCEPman Settings