Use Cases

This page is intended to give you an overview of common use cases and scenarios our clients leverage SCEPman as cloud-CA for. While we cannot provide support for the intricacies of every vendor solution, we hope this overview helps you to quickly assess whether SCEPman could be a fit for your scenario, too - without overwhelming you with less common or even exotic use-cases. If you are unsure, just drop us a question.

Secure WiFi and Network Access

Certificates issued by SCEPman are widely used for the purpose of certificate-based network authentication (802.1X / EAP-TLS) for WiFi, Wired/LAN and VPN, typically along with a network access control (NAC) service that speaks the RADIUS or RadSec protocol. Such services commonly are
  • Aruba ClearPass
  • Cisco ISE / Cisco ASA
  • Azure VPN Gateway / Azure AlwaysOn VPN
  • Fortinet FortiGate
  • Palo Alto GlobalProtect
In addition to typical user-centric client devices such as laptops, PCs or Macs, kiosk devices such as point of sales or self-checkout systems, scanner/barcode guns or customer terminals are often equipped with certificates from SCEPman for secure network authentication.

Certificate-based Authentication

You can enrol user authentication certificates with SCEPman for TLS client authentication. This allows authentication to web sites or services such as
  • Internal web applications
  • Microsoft 365
  • Other cloud services
  • Remote Desktop connections
    • AVD
    • Windows server administration

MDM Solutions

To automate the deployment of relevant configuration profiles and to keep certificates up to date (auto-renewal), we recommend to use SCEPman along with an MDM solution. While SCEPman natively integrates with Microsoft Endpoint Manager/Intune and Jamf Pro, our customers have successfully deployed SCEPman along with other MDM solutions.
Below table provides an overview of the most commonly used MDM solutions and indicates how/if certificate revocation is possible.
MDM Solution
Supported Platforms
Issuance & Auto-renewal
Automatic Revocation
Manual Revocation
Windows macOS iOS
iPadOS Android Ubuntu
macOS iOS iPadOS
ChromeOS Android
macOS iOS
(no auto-renew)
iOS iPadOS
Windows macOS iOS
iPadOS Android Ubuntu
macOS iOS iPadOS
*: Only works with user-type certificates if the user-objects are synced from Azure AD.

On-premise to Cloud Migration

Since SCEPman is a cloud-native general purpose CA, many of our clients who migrate their infrastructure into the cloud, use SCEPman to replace their on-premise Microsoft PKI/AD CS and NDES. Generally this is always possible, as long as the devices that shall receive certificates are hybrid- or full-Azure-AD-joined.

IoT Devices

SCEPman can be utilized to supply certificates to IoT devices. Therefore, SCEPman supports an ECC CA allowing performance- and energy-optimized cryptographic algorithms on devices with limited computational resources or on devices relying on battery power. SCEPman's flexibility supports issuing certificates with long validity periods allowing a long-term offline operation without the need to renew certificates regularly. Furthermore, certificates can be enrolled on an assembly line in a convenient way by leveraging SCEPman's REST API with Azure AD-based authentication.