Linux Server
Last updated
Last updated
This feature requires version 2.3.689 or above.
SCEPman Enterprise Edition only
While the other of SCEPmans use cases provide the ability to interactively authenticate a user to then only allow them to enroll user certificates for their account or their devices you might want to be able to non-interactively enroll certificates for arbitrary subjects.
To accomplish this we can authenticate a service principal and allow that to leverage SCEPman's Enrollment REST API.
This scenario will enroll certificates of the type Static.
The enrollrenewcertificate.sh script can be used to initially receive a certificate as well as to verify it and attempt a renewal in case it is about to expire.
Example:
Defines the behavior of the script
For this use case we can use the following options:
-s for server certificate with auto-detection whether it is an initial enrollment or renewal
-y for initial enrollment of a server certificate
-c for submitting a present certificate signing request
For Client Authentication use cases see:
Non-Intune-managed Linux ClientThe URL of the SCEPman app service.
Example: "https://scepman.contoso.net/"
This is the Application ID URI of the SCEPman-api app registration in your environment.
Example: "api://a7a1d6c8-51b9-48ec-9ca0-a363dc2c8436"
The filename (without extension) of the certificate that will be created or read for renewal.
Example: "myCertificate"
The directory the certificate will be created or tried to be renewed.
Example: ~/certs/
The amount of days the certificate will need to expire in for the script to begin the renewal process.
Example: 30
The Application (Client) Id of the app registration we want to authenticate.
The created client secret of the app registration we want to authenticate.
The tenant id of our app registration.
The subject you want to enroll the certificate with.
Format: /CN=SubjectName,O=Organization
This will be added as subject alternative name
Example: DNS:webserver.contoso.com
This script does not encrypt the generated keys (this requires passphrase input, so encryption has been omitted to allow for automatic renewal.)
If you are renewing passphrase-protected certificates from Certificate Master, you will need to input this passphrase in order to renew them.
When the above bash script is run and detects that a certificate has already been enrolled, it will renew the certificate (if it is close to expiry) using mTLS. If the script is run regularly, this will ensure the certificate is renewed when it gets close to expiry. You can set up a cronjob to achieve this. The below command is an example of how this could be done. It will set up a cronjob to run the command daily (if the system is powered on) and a cronjob to run the command on reboot.
Since commands run by Cron will not necessarily be run from the directory that the script/certificates are in, it is important to provide the absolute paths to the script/certificates.
The following prerequisites must be present on the executing client/host to be able to use the Enrollment REST API.
The Azure CLI is used to authenticate the enrolling user to check their eligibility and to retrieve the access token.
Used to send the created CSR to the SCEPman Enrollment API Endpoint and receive certificate.
OpenSSL is used to generate a private key and create a CSR for enrolling or renewing a certificate.
Required for certificate renewal
Configure your SCEPman App Service to accept mTLS client certificates. In the Configuration blade of the Settings section, verify that the Client certificate mode in Incoming client certificates is set to Optional.
Do not set the Client certificate mode to Require or Allow, as that would break normal operation of SCEPman on the SCEP endpoints!
In order to make use of this scenario, you must set the following Environment Variables on the SCEPman app service.
Required for certificate enrollment and renewal
Set this variable to true to enable the validation of certificate signing requests (CSRs).
Required for certificate renewal
Set this variable to true to enable certificate renewals.
Required for certificate renewal
Set this variable to a comma separated list of certificate types that you want to allow the renewal. See the linked variable documentation for a list of possible certificate types.
Example: Static,IntuneUser,IntuneDevice
Assign the required permissions by running the Register-SCEPmanApiClient cmdlet from the SCEPman PowerShell module.
Example:
The Object ID of the complementing Enterprise Application of the App Registration we created in the previous step. Note that this does not refer to the Enterprise Application usually named SCEPman-api, which identifies SCEPman itself.
To manually assign this permission you can navigate to API Permissions and add a permission from the permissions your organization uses. Assign the CSR.Request.Db permission from SCEPman-api as an application permission.
