Usually when it is necessary to deploy certificates to (mobile) devices Simple Certificate Enrollment Protocol (SCEP) is the first choice. But what is SCEP? SCEP is an Internet draft standard protocol. An Internet draft contains technical specifications and technical information. Internet drafts are often published as a Request for Comments.
SCEP is originally developed by Cisco. The core mission of SCEP is the deployment of certificates to network devices without any user interactions. With the help of SCEP, network devices can request for certificates on their own.
If you use SCEP in a 'traditional way' you need an number of on-premises components. Microsoft Intune allows third-party certificate authorities (CA) to issue and validate certificates using SCEP. To get rid of the on-premises components we developed SCEPman.
For more details about the technical certificate workflow and the third-party certification authority SCEP integration, click here.
Here's an overview about the SCEPman workflow. The first figure shows the certificate issuance and the second figure shows the certificate validation.
Process of certificate issuance:
Process of certificate validation during certificate-based authentication:
SCEPman is an Azure Web App with the following features:
A SCEP interface that is compatible with the Intune SCEP API in particular.
SCEPman provides certificates signed by a CA root key stored in Azure Key Vault.
SCEPman contains an OCSP responder (see below) to provide certificate validity in real-time. A certificate is valid if its corresponding Azure Active Directory (Azure AD) device or user exists and is enabled.
A full replacement of Legacy PKI.
SCEPman creates the CA root certificate during the initial installation. However, if for whatever reason an alternative CA key material shall be used it is possible to replace this CA key and certificate with your own in Azure Key Vault. For example, if you want to use a Sub CA certificate signed by an existing internal Root CA.
SCEPman issues device and user certificates that are compatible with Intune's internally used authentication certificates. They contain Intune's extensions determining the tenant and the machine. Additionally, when using device certificates, the tenant ID and machine ID is stored in the certificate subject alternative names to allow a RADIUS server, like RADIUS-as-a-Service, to use these certificates for authentication.
An Online Certificate Status Protocol (OCSP) is an Internet protocol which is in use to determine the state of a certificate.
Usually, an OCSP client sends a status request to an OCSP responder. An OCSP responder verifies the validity of a certificate based on revocation state or other mechanisms. In comparison to a certificate revocation list (CRL), an OCSP is always up-to-date and the response is available within seconds. A CRL has the disadvantage that it is based on a database that must refresh manually and may weight a lot of data.