General

How can I programmatically query the Storage Account Table?

For some use cases, it might be necessary to query the storage account table directly. This can be done manually using the Azure Storage Explorer or programmatically using the Azure Storage Rest API. Assign the Storage Table Data Reader role to the account you are using. Here is an example of a query that returns all certificates in the Storage Account expiring in the next 30 days:

$SCEPManStorageAccountName = "stgscepmanabc"  # Insert your SCEPman Storage Account name here
$expiresBefore = (Get-Date).AddDays(30).ToString("yyyy-MM-ddTHH:mm:ssZ")  # Find all certificates that expire before this date
$now = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ")                        # and                   that expire after this date

$certificatesJson = az storage entity query --table-name Certificates --account-name $SCEPManStorageAccountName --auth-mode login --filter "ExpirationDate lt datetime'$expiresBefore' and ExpirationDate gt datetime'$now' and Revoked eq false"
$certificates = $certificatesJson | ConvertFrom-Json

$certificates.items | Select-Object -Property Subject,Requester,ExpirationDate,FQDNs

The Azure CLI must be installed on the machine where the query is run, and it must be logged on to the right account and subscription. This is automatically the case for an Azure Cloud Shell.

If you are using a Private Endpoint for the Storage Account, you need to add your client's IP address to the exception list in the Networking pane of the Storage Account.

How to restrict public access to the SCEPman homepage?

The SCEPman homepage does not include any sensitive information, and attackers cannot leverage the available data for malicious purposes.

However, If you prefer to hide the homepage from public access, you can do it using the setting AppConfig setting: AnonymousHomePageAccess

Please ensure to restart the SCEPman App Service after adding the setting.

How to change SCEPman RootCA Subject?

By changing the CA Subject, you must issue a new Root CA and deploy it to all users, AND deploy all client/device certificates again. The old certificates are then no longer valid.

If you do not have a problem with that please follow the steps below to change the CA subject

The name does not appear in the certificate itself and is only a reference to the CA certificate within Azure Key Vault. As it is part of the URL, there are name restrictions, like limitations to alphanumeric characters, numbers, and dashes. Spaces are not allowed

  • After changing both values, save and restart the App Service

  • Navigate to your SCEPman homepage and issue a new RootCA as described here

  • Download the new RootCA and upload it to your Profile, then re-deploy the client certificates again to get the new subject

How to view SCEP certificates in Intune?

In order to view SCEPman issued certificates in Intune, navigate to certificates in Intune Monitor module:

Intune -> Devices -> Monitor -> Certificates

There you will find a list of all issued certificates with details like device name, user name, thumbprint, serial number, subject name, issuance date, expiry date, and certificate status.

For a more comprehensive view of the certificates along with additional actions, review the certificates in Certificate Master.

Last updated