Use Cases

This page is intended to give you an overview of common use cases and scenarios our clients leverage SCEPman as cloud-CA for. While we cannot provide support for the intricacies of every vendor solution, we hope this overview helps you to quickly assess whether SCEPman could be a fit for your scenario, too - without overwhelming you with less common or even exotic use-cases. If you are unsure, just drop us a question.

Secure WiFi and Network Access

Certificates issued by SCEPman are widely used for the purpose of certificate-based network authentication (802.1X / EAP-TLS) for WiFi, Wired/LAN and VPN, typically along with a network access control (NAC) service that speaks the RADIUS or RadSec protocol. Such services commonly are
  • Aruba ClearPass
  • Cisco ISE / Cisco ASA
  • Azure VPN Gateway / Azure AlwaysOn VPN
  • Fortinet FortiGate
  • Palo Alto GlobalProtect

Certificate-based Authentication

You can enrol user authentication certificates with SCEPman for TLS client authentication. This allows authentication to web sites or services such as
  • Internal web applications
  • Microsoft 365
    • Exchange Online
    • Azure Active Directory (AAD) / Azure CBA (currently no CRL support)
  • Other cloud services
  • Remote Desktop connections
    • AVD
    • Windows server administration

MDM Solutions

To automate the deployment of relevant configuration profiles and to keep certificates up to date (auto-renewal), we recommend to use SCEPman along with an MDM solution. While SCEPman natively integrates with Microsoft Endpoint Manager/Intune and Jamf Pro, our customers have successfully deployed SCEPman along with other MDM solutions.
Below table provides an overview of the most commonly used MDM solutions and indicates how/if certificate revocation is possible.
MDM Solution
Supported Platforms
Issuance & Auto-renewal
Automatic Revocation
Manual Revocation
Windows macOS iOS
iPadOS Android Ubuntu
macOS iOS iPadOS
ChromeOS Android
macOS iOS
iOS iPadOS
Windows macOS iOS
iPadOS Android Ubuntu
macOS iOS iPadOS
*: Only works with user-type certificates if the user-objects are synced from Azure AD.

On-premise to Cloud Migration

Since SCEPman is a cloud-native general purpose CA, many of our clients who migrate their infrastructure into the cloud, use SCEPman to replace their on-premise Microsoft PKI/AD CS and NDES. Generally this is always possible, as long as the devices that shall receive certificates are hybrid- or full-Azure-AD-joined.