The deployment of SCEPman 2.x is different from a SCEPman 1.x deployment. If you want to install a new SCEPman 2.x instance or upgrade your existing 1.x instance keep reading.
Deploy Azure Resources
Log in with an AAD administrator account and visit this site, choose and click one of the following deployment links:
Fill out the values in the form
- Subscription: Select your subscription, where you have permissions to create app services, storage account, app service plan, and key vault
- Resource group: Select an existing resource group or create a new one. The SCEPman resources will be deployed to this resource group
- Region: Select the region according to your location
- Location: of all resources, the default value
[resourceGroup().location]is Microsoft recommendation, you can just leave it as it is
To maximize compatibility, for the Org Name we recommend to omit
- language-specific special characters (e.g. ö, ø, é, ...)
- a leading space (spaces between words can be used)
- quotation marks
- Org Name: Name of your company or organization for the certificate subject
- License: leave it "trial" to deploy a community edition, or paste your license key -if you already have one- for an enterprise edition
- Define a unique name for the Key Vault Name, App Service Name, and App Service Cert Master Name, you need just to replace it with the placeholder UNIQUENAME
In case you have previously deployed SCEPman with the same Key Vault Name, and deleted all resources of the previous deployment, make sure to purge the previously deleted Key Vault. By default, upon deletion, the Key Vault will remain in soft-delete state for 90 days, essentially blocking the creation of a new Key Vault with the same name..
- By Storage Account Name please notice that the name must be between 3 and 24 characters in length and may contain numbers and lowercase letters only
- Existing App Service Plan ID: Provide the AppServicePlan ID of an existing App Service Plan or keep the default value 'none' if you want to create a new one
To find your existing App Service Plan ID: navigate to your existing App Service Plan -> JSON View -> copy the Resource ID (see screenshots)
- Review + create, then Create
SCEPman 2.0 comprises two additional Azure resources, an Azure Storage account and an App Service called "Cert Master". These are used to issue and manage the server certificates. But you can run SCEPman 2.0 also without them if you just go for the client certificates as before.
If you are still running SCEPman 1.x, ensure that your instance uses 2.x application artifacts as described here: Application Artifacts.
Please restart your AppService afterward.
Before adding the Cert Master component through the PowerShell script mentioned below, the existing SCEPman base service must be updated to version >= 2.0 as described in the previous paragraph.
If you want to use the new SCEPman Cert Master component to issue server certificates, you need to add the additional Azure resources and configure them. This will enable authentication as Managed Identity, one advantage of it is you do not require any application secrets anymore. Thus, you also don't need to worry about the expiration of application secrets! This is how you do it:
After upgrading the main component, you need to follow the guide of Post-Installation Configuration. In contrast to a new installation, this will also create the two new Azure resources.
You can downgrade to any older SCEPman version by downloading the older artifacts, host them in your location, e.g. Azure Blob storage and then reference the binaries using the WEBSITE_RUN_FROM_PACKAGE setting.
However, if you also used the SCEPman PowerShell module to upgrade the internal wiring, there is one caveat: 2.x supports a different way of authentication to Graph and Intune using Managed Identities, which is also the new default and which is enabled by the script. If you downgrade your main component, it won't be able to use the new way of authentication and is missing one setting for the old one, so it won't work anymore. Thus, after a downgrade, you must manually change the application settings AppConfig:AuthConfig:ApplicationId and AppConfig:AuthConfig:ApplicationKey. The script creates backups of the settings by prefixing
Backup:. Thus, you need to rename
AppConfig:AuthConfig:ApplicationKeyand copy the old value from
AppConfig:AuthConfig:ApplicationId. Then the 1.x will work again using authentication based on App Registrations.