SCEPman receives the results and if the AAD device is not available or disabled the OCSP response for the certificate is send as “not valid”.SCEPman checks if the device exists in Azure AD and is enabled.The device sends an OCSP request for the certificate to SCEPman.SCEPman will act as an OCSP responder and the detailed workflow looks like this: SCEPman will issue the certificate to the deviceĪ more detailed technical certificate workflow can be found here Add partner certification authority in Intune using SCEP.SCEPman will receive the signed certificate.If the challenge is verified successfully, SCEPman will request certificate signing from the Azure Key Vault.Intune validates the CSR and sends back a response.SCEPman requests validation of the request from Intune by comparing a unique challenge (this prevents tampering).The device (Windows, iOS, Android, macOS) checks in and requests a certificate from SCEPman (the Azure Web App).In Intune you create and assign a new SCEP certificate profile and target it to a user or device group.
Let’s look at the detailed certificate request workflow: If you would use SCEP for email-encryption or digital signatures you may loose the keys to decrypt or verify at a later time.Īs we already know it is a cloud service and uses an Azure Web App.
CLOUD SAVE KSP MAC OS ARCHIVE
The nature of the SCEP protocol does not include a mechanism to backup or archive private key material. Do not use SCEPman for email-encyrption or digital signatures (without a separate technology for key management). That said, you can deploy user and device certificates used for network authentication, WiFi, VPN, RADIUS and similar services. SCEPman is intended to use for authentication and transport encryption certificates. ! Please read carefully – Warning about user certificates Additionally, the tenant ID and machine ID is stored in the certificate subject to allow common Radius servers like Cisco ISE, FreeRADIUS, RADIUS-as-a-Service and others to use these certificates for authentication. They contain Intune’s extensions determining the tenant and the machine. SCEPman issues authentication certificates that are compatible with Intune’s internally used authentication certificates. For example, if you want to use a Sub CA certificate signed by an existing internal Root CA. However, if for whatever reason an alternative CA key material shall be used it is possible to replace this CA key and certificate with your own in Azure Key Vault. A certificate is valid if its corresponding AAD device exists and is enabledĪ simple post request to SCEPman service creates the CA certificate. SCEPman contains an OCSP responder to provide certificate validity in real-time.SCEPman signs machine authentication certificates with a CA key stored in Azure Key Vault.A SCEP interface that is compatible with the Intune SCEP open-source API in particular.SCEPman is an Azure Web App with the following features: That said, SCEPman will not need any backup procedures. No other component is involved, neither a database nor any other stateful storage except the Azure Key Vault. It uses an Azure Key Vault based Root CA and certificate signing. net core C# based Azure Web App providing the SCEP and Intune API. ( UPDATE: with SCEPman 1.3 user certificates are supported in a limited fashion) SCEPman is a. SCEPman is a fully unattended Certificate Authority using Azure Key Vault for Microsoft Intune based device certificate deployment. Microsoft Intune allows third-party certificate authorities (CA) to issue and validate certificates using the Simple Certificate Enrollment Protocol ( SCEP).
All it needs is an active Azure Subscription.Ī little background from the product description: There is a solution called SCEPman | Intune SCEP-as-a-Service build by Glück & Kanja Consulting AG available in the Azure Marketplace.
0 kommentar(er)
