How To Manage Certifcates for SCEP CAs

How to manage certificates for your SCEP CA

There are multiple ways to issue and manage certificates in the EZCA portal. In this document we will go over how to manage certificates for your SCEP CA. This is more of an “Index” that will show all the different ways you can create your certificates in your cloud based CA. Each section will have a link to a more detailed document that will go over how to issue certificates in that specific way.

How To Issue Certificates for your SCEP CA

How to Issue Certificates In Intune

  1. The first and most common way to issue certificates in our Cloud SCEP CA is using Intune SCEP. For this you will have to Register Intune Application in Azure Tenant (This gives EZCA permission to look into your Intune Instance), then you will have to Create SCEP Certificate Authority, and finally you will have to Create Intune Profiles (This creates the profiles that will be used to issue the certificates). For revocation Intune will automatically revoke the certificates when the device or user is removed from the Intune instance. However, if you want to manually revoke a certificate you can do so by going to the Certificate Authority in EZCA and revoking the certificate (more details on the how to revoke certificates section below).

How To Issue Certificates In Other MDMs (Static SCEP)

  1. While Intune SCEP covers the majority of managed devices for Microsoft customers, we understand that many customers also have other MDMs such as Google Device Manager or Jamf Pro (and many more), for those cases we recomend using Static SCEP. To use Static SCEP you will have to go to the Certificate Authority in EZCA and create and click the Static SCEP button (watch this quick video to learn how you can do this). This will give you a URL that you can use to issue certificates to your devices. For revocation you can go to the Certificate Authority in EZCA and revoke the certificate (more details on the how to revoke certificates section below).

How to Issue SCEP Certificates for Active Directory Devices

  1. When moving to the cloud, you will have a time when some devices are not hybrid or cloud managed, meaning that you will have to push your certificates through GPOs. However, you cannot make Windows request SCEP certificates through Group Policies, and if you are using a modern cloud certificate authroity that supports scep you will need to use to push our Open Source Certificate Tool to issue certificates using the SCEP protocol. Below is a sample call (Note this call uses -s for subject name and –SubjectAlternateNames for SANs, if your device is domain joined you can leave that blank and the tool will automatically fill it in with the domain name): .\EZCACertManager.exe SCEPCertificate -u https://portal.ezca.io/api/SCEP/Static/1c3c6cea-fcbd-4681-85e1-74fb74b6863e/d2e20719-090c-40c9-88a0-d1955ed74f73/eastus/cgi-bin -s "CN=server3.contoso.com" -p YOURPASSWORD --SubjectAltNames machine.contoso.com,machine2.contoso.com

How To enable Self Service Certificate Issuance

There are times when users with non-managed devices need to request certificates. For this we have created a self service portal that allows users to request certificates using their Entra ID credentials. To enable this feature you must enable self serivce certificate issuance in the Certificate Authority in EZCA. Once enabled users can follow these instructions and request certificates. The cool part about this feature is that it also works with our cloud RADIUS to create self-service Wi-Fi profiles that can be sent to users that do not have managed devices and need to connect to your corporate Wi-Fi.

How To Revoke Certificates for your SCEP CA in EZCA

While some of our integrations such as the Intune Integration, and self serivice issuance will revoke the certificate if the device or user is deleted, there are times when you will need to manually revoke a certificate. To do this you will have to:

  1. Go to the Certificate Authority page in EZCA and click on “View Requirements” on the CA you want to revoke the certificate from. View Cloud CA Issuance Requirements
  2. Scroll down to the bottom and click on “View Active Certificates” How to view Intune SCEP Issued Certificates
  3. Find the certificate you want to revoke and click on the revoke button. This will revoke the certificate and the device will no longer be able to use it. How to revoke a certificate in EZCA Cloud Certificate Authority as a PKi admin