In this page we will guide you on how to create an Intune profile to issue X509 certificates either for devices or users using SCEP for Windows.
While Intune has SCEP profiles for Mac and iOS devices, Windows, and Android, it does not have a specific profile for Linux devices. However, we have created some custom profiles that will allow you to issue certificates to Linux devices.
#!/bin/bash
# User-set values
EZCA_SCEP_STATIC_URL=https://ezca.azpki.com/api/SCEP/Static/1c3c6cea-fcbd-4681-85e1-74fb74b6863e/077cfd01-82ee-40bd-b709-f0f9b9d8f996/eastus/cgi-bin
SCEP_CHALLENGE=BF2103949DEF04FC
CERT_CN=WifiCert # Cert common name
# CERT_O= # Cert organization
# CERT_OU= # Cert organization unit
# CERT_COUNTRY= # Cert country
## ---------- ## ---------- ## ---------- ## ---------- ## ---------- ##
# Check all required executables exist
req_execs=("cat" "chmod" "curl" "head" "mkdir" "mv" "openssl" "rm" "tr")
for exe in "${req_execs[@]}"; do
if [ ! $(command -v "$exe") ]; then
echo "Required executable $exe not found"
exit 1
fi
done
if [ -z $EZCA_SCEP_STATIC_URL ]; then
echo "EZCA_SCEP_STATIC_URL not set"
exit 1
fi
SCEP_CHALLENGE=${SCEP_CHALLENGE:-'DEFAULT_SCEP_CHALLENGE'}
CERT_CN=${CERT_CN:-'DEFAULT_CERT_CN'}
CERT_O=${CERT_O:-'DEFAULT_CERT_O'}
CERT_OU=${CERT_OU:-'DEFAULT_CERT_OU'}
CERT_COUNTRY=${CERT_COUNTRY:-'US'}
INSTALL_DIR=${INSTALL_DIR:-"$HOME/.local/share/keytos/scep_certs"}
SCEPCLIENT_PATH=$INSTALL_DIR/scepclient
KEY_PWD_PATH=$INSTALL_DIR/key.pwd
NEW_KEY_PATH=$INSTALL_DIR/key.pem
NEW_CER_PATH=$INSTALL_DIR/client.pem
ENCRYPTED_KEY_PATH=$INSTALL_DIR/key.encrypted.pem
CER_PATH=$INSTALL_DIR/certificate.pem
# Only generate new certs if certs do not exist or certs will expire in two weeks
if [ -f $CER_PATH ]; then
TWO_WEEKS_IN_SECONDS=1209600
if [[ $(openssl x509 -checkend $TWO_WEEKS_IN_SECONDS -noout -in $CER_PATH) ]]; then
exit 0
fi
fi
mkdir -p $INSTALL_DIR
# Install SCEP client (pull from CDN)
if [ ! -f $SCEPCLIENT_PATH ]; then
curl 'https://download.keytos.io/Downloads/linux-scripts/scepclient-linux-amd64' --output $SCEPCLIENT_PATH
chmod +x $SCEPCLIENT_PATH
fi
# Generate CERTS
openssl genrsa -traditional -out $NEW_KEY_PATH 2048
$SCEPCLIENT_PATH \
-server-url ${EZCA_SCEP_STATIC_URL} \
-private-key $NEW_KEY_PATH \
-challenge ${SCEP_CHALLENGE} \
-cn $CERT_CN \
-organization $CERT_O \
-ou $CERT_OU \
-country $CERT_COUNTRY
if [ ! $? -eq 0 ]; then
rm -rf $INSTALL_DIR/*.pem $KEY_PWD_PATH
exit 1
fi
rm $INSTALL_DIR/csr.pem
# Encrypt key and rename files
tr -dc A-Za-z0-9 </dev/urandom | head -c 16 > $KEY_PWD_PATH
openssl rsa -aes256 -in $NEW_KEY_PATH -out $ENCRYPTED_KEY_PATH -passin pass:$(cat $KEY_PWD_PATH) -passout file:$KEY_PWD_PATH
mv $NEW_CER_PATH $CER_PATH
rm -f $NEW_KEY_PATH $NEW_CER_PATH
~/.local/share/keytos/scep_certs
. It will also automatically renew the certificate if it is about to expire. Set your configuration values for how often want the script to run and then click “Review + Save”.