Versions Compared

Old Version 11

changes.mady.by.user Josefin Klang

Saved on

compared with

New Version 12

changes.mady.by.user Josefin Klang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...


Info
 This article includes updates for Certificate Manager 8.6.1.

This article describes a configuration example of the SCEP protocol with Azure Intune in Protocol Gateway.

...


Since the ADAL authentication API has been deprecated by Microsoft, the SCEP Intune protocol in Certificate Manager 8.6.1 has been updated to use the MSAL authentication API instead.

See https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/azure-ad-change-management-simplified/ba-p/2967456 for more information

...



Expand
titlePrerequisites

The following prerequisites apply:

...

Expand
titleCreate SCEP certificate profile

A SCEP Certificate Profile needs to be created for Intune to know how the end user certificate should be defined and which CA to deliver the CSR to.

  1. Navigate to the Azure Endpoint manager at https://endpoint.microsoft.com/.
  2. Navigate to Devices > Configuration Profiles and select Create profile.
  3. Perform the following settings:
    1. Set Platform to Windows 10 or later.
    2. Set Profile type to templates.
    3. Select Template name to SCEP certificate and click Create.
    4. Enter a Profile name and optionally a Description. Click Next.
    5. The configurations determine the content of the CSR that will be sent to Protocol Gateway and should be adapted per installation.
      However, some settings are mandatory, for example the following:  
      1. Set Certificate type to Device.
      2. Set Key storage provider (KSP) to Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.
      3. Set Root Certificate to the Root CA Trusted Profile that was configured in the trusted root store.
      4. In Extended key usage, add Client Authentication via the Predefined values.

      5. Set SCEP Server URLs to the Protocol Gateway Intune endpoint:

        Code Block
        titleExample: Protocol Gateway SCEP Intune endpoint
        https://example.com/pgwy/scep/intune


    6. Click on Next.
  4. Configure the access rights to the profile, either by applying it to all devices or by applying it to a selected group that the users requesting certificates via Intune will be a part of. Click on Next.
  5. If no device limitation is required, the configuration of the accessibility rules can be skipped. Click on Next
  6. Verify the settings and click on Create.

Configure Protocol Gateway SCEP for Intune

...

Set SCEP properties

To set the properties for the SCEP protocols: 

  1. Open scep.properties for editing.
    1. On Linux, this is found in /var/cm-gateway/conf.
    2. On Windows, this is found in C:/ProgramData/Nexus/cm-gateway/conf.
  2. Set the SCEP properties as follows: 
    1. Enable the SCEP protocol by setting start to true

    2. Set default.ra.keyfile to the Protocol Gateway RA token file and default.ra.password to the related PIN.

...

    1. The certificate format linked to the token procedure should not handle verifications (that is, rfc5280 can be used).

  2. In a handler, set the following Intune parameters, to be able to verify the incoming device CSRs: 

    1. Set filter and format according to the SCEP.properties example below. 
    2. Set tenant to the fully qualified domain name (FQDN) of the organization configured in Intune.
    3. Set azure_app_id to the Application (client) id that was received in the Register app section above.  
    4. Set azure_app_key to the Client secret that was received in the Register app section above.

    5. Set certificateAuthority to the name of the issuing CA for the end user certificates.

...

    1. For more information on how to configure verifications of certificate requests in .properties files, see Certificate request verifications in Protocol Gateway.

  2. If needed, scramble sensitive parameters in the configuration file. See Scramble sensitive data in configuration files in Protocol Gateway.
  3. Save the file. 
Code Block
titleExample: SCEP.properties
# SCEP parameters
start = true
default.tokenprocedure = SCEP Registration and Enroll Procedure
default.ra.keyfile = protocol-gateway-ra.p12
default.ra.password = <Protocol Gateway RA PIN>

# Intune parameters
handler.x.filter = intune/pkiclient.exe
handler.x.format = scep-intune
handler.x.tenant = {azure-tenant}
handler.x.azure_app_id = {app-id}
handler.x.azure_app_key = {app-key}
handler.x.certificateAuthority = {CA_name}

Additional optional attributes for Intune, revocation via Intune and proxy are available and described in the SCEP INTUNE section of the scep.properties file.



Expand
titleRestart Tomcat
  1. Restart the Tomcat service. 

...