Use Cases

This page is intended to give you an overview of common use cases and scenarios our clients leverage SCEPman as cloud-CA for. While we cannot provide support for the intricacies of every vendor solution, we hope this overview helps you to quickly assess whether SCEPman could be a fit for your scenario, too - without overwhelming you with less common or even exotic use-cases. If you are unsure, just drop us a question.

Secure WiFi and Network Access

Certificates issued by SCEPman are widely used for the purpose of certificate-based network authentication (802.1X / EAP-TLS) for WiFi, Wired/LAN and VPN, typically along with a network access control (NAC) service that speaks the RADIUS or RadSec protocol. Such services commonly are

  • Aruba ClearPass

  • Cisco ISE / Cisco ASA

  • Azure VPN Gateway / Azure AlwaysOn VPN

  • Fortinet FortiGate

  • Palo Alto GlobalProtect

In addition to typical user-centric client devices such as laptops, PCs or Macs, kiosk devices such as point of sales or self-checkout systems, scanner/barcode guns or customer terminals are often equipped with certificates from SCEPman for secure network authentication.

Certificate-based Authentication

You can enrol user authentication certificates with SCEPman for TLS client authentication. This allows authentication to web sites or services such as

  • Internal web applications

  • Microsoft 365

  • Other cloud services

  • Remote Desktop connections

    • AVD

    • Windows server administration

MDM Solutions

To automate the deployment of relevant configuration profiles and to keep certificates up to date (auto-renewal), we recommend to use SCEPman along with an MDM solution. While SCEPman natively integrates with Microsoft Endpoint Manager/Intune and Jamf Pro, our customers have successfully deployed SCEPman along with other MDM solutions.

Below table provides an overview of the most commonly used MDM solutions and indicates how/if certificate revocation is possible.

*: Only works with user-type certificates if the user-objects are synced from Microsoft Entra ID (Azure AD).

On-premises to Cloud Migration

Since SCEPman is a cloud-native general purpose CA, many of our clients who migrate their infrastructure into the cloud use SCEPman to replace their on-prem Microsoft PKI/AD CS and NDES. Generally, this is possible, as long as the devices that shall receive certificates are hybrid- or full-Azure-AD-joined.

IoT Devices

SCEPman can be utilized to supply certificates to IoT devices. Therefore, SCEPman supports an ECC CA allowing performance- and energy-optimized cryptographic algorithms on devices with limited computational resources or on devices relying on battery power. SCEPman's flexibility supports issuing certificates with long validity periods allowing a long-term offline operation without the need to renew certificates regularly. Furthermore, certificates can be enrolled on an assembly line in a convenient way by leveraging SCEPman's REST API with Microsoft Entra ID (Azure AD)-based authentication.

Last updated