How To Create Intune SCEP Profiles for Linux Devices

In this page we will guide you on how to create an Intune profile to issue X509 certificates either for devices or users using SCEP for Windows.

Prerequisites

  1. Register Intune Application in Azure Tenant
  2. Create and Download your SCEP CA Certificate
  3. Enable Static SCEP Challenge in EZCA

How To Create Intune SCEP Profile For Linux Device Certificates

While Intune has SCEP profiles for Mac and iOS devices, Windows, and Android, it does not have a specific profile for Linux devices. However, we have created some custom profiles that will allow you to issue certificates to Linux devices.

  1. While this is still an Intune profile, it is not a standard profile, meaning we must also enable the Static SCEP Challenge in EZCA.
  2. Go To EZCA and click on Certificate Authorities and Select the “View Requirements” button on your Intune CA. EZCA View All CAs
  3. Ensure static SCEP is enabled, if it is not, click on the “Enable Static SCEP Challenge” button and save changes on the top right. EZCA Enable Static SCEP For Intune Linux Devices
  4. While we are here, let’s grab the Static URL and Static Challenge, we will need this information to create the Intune profile. Intune SCEP PKI URL
  5. Now that we have the CA information, let’s go to the Intune Portal: https://aka.ms/intuneportal
  6. Select: Devices -> Linux -> Scripts.
  7. Click the “Add” button. How to add Linux SCEP certificate configuration profile in intune
  8. Enter a name for the profile and click “Next”. How to add Linux SCEP certificate configuration profile in intune
  9. Copy the following Script (Modifying the values for your CA):
        #!/bin/bash
    
        # User-set values
        EZCA_SCEP_STATIC_URL=https://ezca.azpki.com/api/SCEP/Static/1c3c6cea-fcbd-4681-85e1-74fb74b6863e/077cfd01-82ee-40bd-b709-f0f9b9d8f996/eastus/cgi-bin
        SCEP_CHALLENGE=BF2103949DEF04FC
        CERT_CN=WifiCert    # Cert common name
        # CERT_O=    # Cert organization
        # CERT_OU=    # Cert organization unit
        # CERT_COUNTRY=    # Cert country
    
        ## ---------- ## ---------- ## ---------- ## ---------- ## ---------- ##
    
        # Check all required executables exist
        req_execs=("cat" "chmod" "curl" "head" "mkdir" "mv" "openssl" "rm" "tr")
        for exe in "${req_execs[@]}"; do
            if [ ! $(command -v "$exe") ]; then
                echo "Required executable $exe not found"
                exit 1
            fi
        done
    
        if [ -z $EZCA_SCEP_STATIC_URL ]; then
            echo "EZCA_SCEP_STATIC_URL not set"
            exit 1
        fi
    
        SCEP_CHALLENGE=${SCEP_CHALLENGE:-'DEFAULT_SCEP_CHALLENGE'}
    
        CERT_CN=${CERT_CN:-'DEFAULT_CERT_CN'}
        CERT_O=${CERT_O:-'DEFAULT_CERT_O'}
        CERT_OU=${CERT_OU:-'DEFAULT_CERT_OU'}
        CERT_COUNTRY=${CERT_COUNTRY:-'US'}
    
        INSTALL_DIR=${INSTALL_DIR:-"$HOME/.local/share/keytos/scep_certs"}
    
        SCEPCLIENT_PATH=$INSTALL_DIR/scepclient
        KEY_PWD_PATH=$INSTALL_DIR/key.pwd
        NEW_KEY_PATH=$INSTALL_DIR/key.pem
        NEW_CER_PATH=$INSTALL_DIR/client.pem
        ENCRYPTED_KEY_PATH=$INSTALL_DIR/key.encrypted.pem
        CER_PATH=$INSTALL_DIR/certificate.pem
    
        # Only generate new certs if certs do not exist or certs will expire in two weeks
        if [ -f $CER_PATH ]; then
            TWO_WEEKS_IN_SECONDS=1209600
            if [[ $(openssl x509 -checkend $TWO_WEEKS_IN_SECONDS -noout -in $CER_PATH) ]]; then
                exit 0
            fi
        fi
    
        mkdir -p $INSTALL_DIR
    
        # Install SCEP client (pull from CDN)
        if [ ! -f $SCEPCLIENT_PATH ]; then
            curl 'https://download.keytos.io/Downloads/linux-scripts/scepclient-linux-amd64' --output $SCEPCLIENT_PATH
            chmod +x $SCEPCLIENT_PATH
        fi
    
        # Generate CERTS
        openssl genrsa -traditional -out $NEW_KEY_PATH 2048
        $SCEPCLIENT_PATH \
            -server-url ${EZCA_SCEP_STATIC_URL} \
            -private-key $NEW_KEY_PATH \
            -challenge ${SCEP_CHALLENGE} \
            -cn $CERT_CN \
            -organization $CERT_O \
            -ou $CERT_OU \
            -country $CERT_COUNTRY
    
        if [ ! $? -eq 0 ]; then
            rm -rf $INSTALL_DIR/*.pem $KEY_PWD_PATH
            exit 1
        fi
    
        rm $INSTALL_DIR/csr.pem
    
        # Encrypt key and rename files
        tr -dc A-Za-z0-9 </dev/urandom | head -c 16 > $KEY_PWD_PATH
        openssl rsa -aes256 -in $NEW_KEY_PATH -out $ENCRYPTED_KEY_PATH -passin pass:$(cat $KEY_PWD_PATH) -passout file:$KEY_PWD_PATH
        mv $NEW_CER_PATH $CER_PATH
        rm -f $NEW_KEY_PATH $NEW_CER_PATH
    
  10. This Script will create a certificate with the values provided and will store the certificate in the user’s home directory under the folder ~/.local/share/keytos/scep_certs. It will also automatically renew the certificate if it is about to expire. Set your configuration values for how often want the script to run and then click “Review + Save”. How to add Linux SCEP certificate configuration profile in intune
  11. Select your Scope, and click “Next”.
  12. Select your Assignments, and click “Next”. How to add Wifi certificate configuration for Linux profile in intune
  13. Click “Create” How to save Linux SCEP certificate configuration profile in intune
  14. This will now create a profile that will issue certificates to Linux devices. If you want to also setup Linux Wifi Profile in Intune you can do so by following the guide.