LogoLogo
LogoLogo
  • Welcome
  • Details
  • Editions
  • Use Cases
  • SCEPMAN Deployment
    • Getting Started
      • Standard Guide
      • Extended Guide
    • Permissions
      • Azure App Registration
      • Managed Identities
    • Deployment Options
      • Marketplace deployment
      • Enterprise deployment
      • Terraform deployment
    • Root CA
    • Intermediate CA
  • Certificate Management
    • Revocation
    • Microsoft Intune
      • Windows
        • Certificate Based Authentication for RDP
      • macOS
      • Android
      • iOS/iPadOS
      • Linux
    • Jamf Pro
      • General Configuration
      • Computers
      • Devices
      • Users
    • Other MDM Solutions
      • Google Workspace
        • ChromeOS
      • Kandji
      • Mosyle
      • SOTI MobiControl
    • Certificate Master
      • Manage Certificates
      • Certificate Signing Request (CSR)
      • TLS Server Certificate
      • Sub CA Certificate
      • Code Signing Certificate
      • Client Certificate
      • User Certificate
    • Domain Controller Certificates
    • Enrollment REST API
      • Self Service Enrollment
        • Intune Managed Linux Client
        • Unmanaged Linux Client
      • API Enrollment
        • Linux Server
        • Windows Server
      • SCEPmanClient
  • Azure Configuration
    • Application Insights
    • App Service Sizing
      • Autoscaling
    • Custom Domain
    • Geo-Redundancy
    • Health Check
      • Using 3rd Party Monitoring
    • Log Management
    • Moving Resources
    • Private Endpoints
    • Split-Tenancy
  • Update Strategy
  • SCEPman Configuration
    • SCEPman Settings
      • Basics
      • Certificates
      • Certificate Master
      • CRL
      • Dependencies (Azure Services)
        • Azure KeyVault
        • Logging
        • Microsoft Entra ID (Azure AD)
        • National Cloud Platforms
      • Enrollment REST API
      • OCSP
      • SCEP Endpoints
        • DC Validation
        • Intune Validation
        • Jamf Validation
        • Static Validation
        • Static-AAD Validation
    • Certificate Master Settings
      • Basics
      • Microsoft Entra ID (Azure AD)
      • Logging
      • National Cloud Platforms
    • Application Artifacts
    • Certificate Master RBAC
    • Device Directories
    • Intune Strong Mapping
  • Other
    • Security & Privacy
    • Support
    • Licensing
      • Azure Marketplace
    • FAQs
      • General
      • Certificate Connector
      • Network Access Controllers
      • Renewing SCEPman Root CA
    • Troubleshooting
      • Common Problems
      • Certifried Security Vulnerability
      • Cisco ISE Host Header Limitation
      • Intune service discovery API permissions
      • Re-enrollment trigger
  • Uninstallation
  • Change Log
  • Links
  • SCEPman Website
Powered by GitBook
On this page
  • New SCEPman 2.0 Instance
  • Upgrade from 1.x to 2.x
  • Add SCEPman Cert Master
  • Downgrade from 2.x to 1.x

Was this helpful?

  1. SCEPMAN Deployment
  2. Deployment Options

Enterprise deployment

GitHub Deployment

Last updated 21 days ago

Was this helpful?

The deployment of SCEPman 2.x is different from a SCEPman 1.x deployment. If you want to install a new SCEPman 2.x instance or upgrade your existing 1.x instance keep reading.

New SCEPman 2.0 Instance

Deploy Azure Resources

Log in with an AAD administrator account and visit this site, choose and click one of the following deployment links:

  • (Experimental!)

Fill out the values in the form

  • Subscription: Select your subscription, where you have permissions to create app services, storage account, app service plan, and key vault

  • Resource group: Select an existing resource group or create a new one. The SCEPman resources will be deployed to this resource group

  • Region: Select the region according to your location

  • Org Name: Name of your company or organization for the CA certificate subject name (O RDN)

To maximize compatibility, for the Org Name we recommend omitting

  • language-specific special characters (e.g. ö, ø, é, ...)

  • a leading space (spaces between words can be used)

  • quotation marks

  • License: leave as "trial" to deploy a Community Edition or paste your license key for the Enterprise Edition of SCEPman.

  • Ca Key Type:

    • RSA-HSM (recommended, HSM-backed root CA)

    • RSA (software-backed root CA)

  • For the Storage Account Name, please notice that the name must be between 3 and 24 characters in length and may contain numbers and lowercase letters only

  • Define a globally unique name for the Key Vault Name, App Service Plan Name, Primary App Service Name, Log Analytics Workspace Name, Certificate Master App Service Name, Virtual Network Name, Private Endpoint for Key Vault Name and Private Endpoint for Table Storage. Replace UNIQUENAME with a value that hints at your organization name.

  • Existing App Service Plan ID: Provide the App Service Plan ID of an existing App Service Plan or keep the default value 'none' if you want to create a new one

To find your existing App Service Plan ID: navigate to your existing App Service Plan > JSON View > copy the Resource ID (see screenshots)

  • Deploy on Linux:

    • true (deploys SCEPman on a Linux App Service Plan)

    • false (deploys to a Windows App Service Plan)

  • Deploy Private Network:

    • true (recommended, isolates the key vault and storage account behind private endpoints so that only SCEPman can access them from a networking perspective)

    • false (key vault and storage account can be accessed from any IP address)

  • Location: of all resources, the default value [resourceGroup().location] is Microsoft recommendation, you can just leave it as it is

  • Review + create, then Create

Upgrade from 1.x to 2.x

SCEPman 2.0 comprises two additional Azure resources, an Azure Storage account and an App Service called "Cert Master". These are used to issue and manage the server certificates. But you can run SCEPman 2.0 also without them if you just go for the client certificates as before.

Please restart your App Service afterward.

Add SCEPman Cert Master

Before adding the Cert Master component through the PowerShell script mentioned below, the existing SCEPman base service must be updated to version >= 2.0 as described in the previous paragraph.

If you want to use the new SCEPman Cert Master component to issue server certificates, you need to add the additional Azure resources and configure them. This will enable authentication as Managed Identity, one advantage of it is you do not require any application secrets anymore. Thus, you also don't need to worry about the expiration of application secrets! This is how you do it:

Downgrade from 2.x to 1.x

In case you have previously deployed SCEPman with the same Key Vault Name, and deleted all resources of the previous deployment, make sure to the previously deleted Key Vault. It will re-appear in the previous resource group. The ARM deployment - if pointed to the same resource group - will recognize the existing Key Vault and re-use it. A full deletion of the previous Key Vault is not feasible due to for 90 days.

After a successful deployment of SCEPman 2.x please follow thearticle

If you are still running SCEPman 1.x, ensure that your instance uses 2.x application artifacts as described here: .

After upgrading the main component, you need to follow the guide of . In contrast to a new installation, this will also create the two new Azure resources.

You can downgrade to any older SCEPman version by downloading the older artifacts, host them in your location, e.g. Azure Blob storage and then reference the binaries using the setting.

However, if you also used the SCEPman PowerShell module to upgrade the internal wiring, there is one caveat: 2.x supports a different way of authentication to Graph and Intune using Managed Identities, which is also the new default and which is enabled by the script. If you downgrade your main component, it won't be able to use the new way of authentication and is missing one setting for the old one, so it won't work anymore. Thus, after a downgrade, you must manually change the application settings and . The script creates backups of the settings by prefixing Backup:. Thus, you need to rename Backup:AppConfig:AuthConfig:ApplicationKey back to AppConfig:AuthConfig:ApplicationKey and copy the old value from Backup:AppConfig:AuthConfig:ApplicationId to AppConfig:AuthConfig:ApplicationId. Then the 1.x will work again using authentication based on App Registrations.

recover
Purge Protection
Managed Identities
Application Artifacts
Post-Installation Configuration
Production channel
Beta channel
Internal channel
Production channel in GCC High national cloud
Production channel in 21Vianet national cloud
WEBSITE_RUN_FROM_PACKAGE
AppConfig:AuthConfig:ApplicationId
AppConfig:AuthConfig:ApplicationKey