Use Cases
This page is intended to give you an overview of common use cases and scenarios our clients leverage SCEPman as cloud-CA for. While we cannot provide support for the intricacies of every vendor solution, we hope this overview helps you to quickly assess whether SCEPman could be a fit for your scenario, too - without overwhelming you with less common or even exotic use-cases. If you are unsure, just drop us a question.
Certificates issued by SCEPman are widely used for the purpose of certificate-based network authentication (802.1X / EAP-TLS) for WiFi, Wired/LAN and VPN, typically along with a network access control (NAC) service that speaks the RADIUS or RadSec protocol. Such services commonly are
- Aruba ClearPass
- Cisco ISE / Cisco ASA
- Azure VPN Gateway / Azure AlwaysOn VPN
- Fortinet FortiGate
- Palo Alto GlobalProtect
You can enrol user authentication certificates with SCEPman for TLS client authentication. This allows authentication to web sites or services such as
- Internal web applications
- Microsoft 365
- Exchange Online
- Azure Active Directory (AAD) / Azure CBA (currently no CRL support)
- Other cloud services
- Remote Desktop connections
- AVD
- Windows server administration
To automate the deployment of relevant configuration profiles and to keep certificates up to date (auto-renewal), we recommend to use SCEPman along with an MDM solution. While SCEPman natively integrates with Microsoft Endpoint Manager/Intune and Jamf Pro, our customers have successfully deployed SCEPman along with other MDM solutions.
Below table provides an overview of the most commonly used MDM solutions and indicates how/if certificate revocation is possible.
MDM Solution | Supported Platforms | Issuance & Auto-renewal | Automatic Revocation | Manual Revocation | Links |
---|---|---|---|---|---|
Windows
macOS
iOS iPadOS
Android
Ubuntu | ☑ | ☑ | ☑ | ||
macOS
iOS
iPadOS | ☑ | ☑ | ☑ | ||
ChromeOS
Android | ☑ | ☑ | ☑ | ||
macOS
iOS | ☑ | | ☑ | ||
iOS
iPadOS | ☑ | | ☑ | | |
Windows
macOS
iOS iPadOS
Android
Ubuntu | ☑ | | ☑ | ||
macOS
iOS
iPadOS | ☑ | ☑ | ☑ |
*: Only works with user-type certificates if the user-objects are synced from Azure AD.
Since SCEPman is a cloud-native general purpose CA, many of our clients who migrate their infrastructure into the cloud, use SCEPman to replace their on-premise Microsoft PKI/AD CS and NDES. Generally this is always possible, as long as the devices that shall receive certificates are hybrid- or full-Azure-AD-joined.
Last modified 1mo ago