How To Create Intune SCEP Profiles for Linux Devices

In this page we will guide you on how to create an Intune profile to issue X509 certificates either for devices or users using SCEP for Windows.

Prerequisites

  1. Register Intune Application in Azure Tenant
  2. Create and Download your SCEP CA Certificate
  3. Enable Static SCEP Challenge in EZCA

How To Create Intune SCEP Profile For Linux Device Certificates

While Intune has SCEP profiles for Mac and iOS devices, Windows, and Android, it does not have a specific profile for Linux devices. However, we have created some custom profiles that will allow you to issue certificates to Linux devices.

  1. While this is still an Intune profile, it is not a standard profile, meaning we must also enable the Static SCEP Challenge in EZCA.
  2. Go To EZCA and click on Certificate Authorities and Select the “View Requirements” button on your Intune CA. EZCA View All CAs EZCA View All CAs
  3. Ensure static SCEP is enabled, if it is not, click on the “Enable Static SCEP Challenge” button and save changes on the top right. EZCA Enable Static SCEP For Intune Linux Devices EZCA Enable Static SCEP For Intune Linux Devices
  4. While we are here, let’s grab the Static URL and Static Challenge, we will need this information to create the Intune profile. Intune SCEP PKI URL Intune SCEP PKI URL
  5. Now that we have the CA information, let’s go to the Intune Portal: https://aka.ms/intuneportal
  6. Select: Devices -> Linux -> Scripts.
  7. Click the “Add” button. How to add Linux SCEP certificate configuration profile in intune How to add Linux SCEP certificate configuration profile in intune
  8. Enter a name for the profile and click “Next”. How to add Linux SCEP certificate configuration profile in intune How to add Linux SCEP certificate configuration profile in intune
  9. Copy the following Script (Modifying the values for your CA): 
        #!/bin/bash

    # User-set values
    EZCA_SCEP_STATIC_URL=https://ezca.azpki.com/api/SCEP/Static/1c3c6cea-fcbd-4681-85e1-74fb74b6863e/077cfd01-82ee-40bd-b709-f0f9b9d8f996/eastus/cgi-bin
    SCEP_CHALLENGE=BF2103949DEF04FC
    CERT_CN=WifiCert    # Cert common name
    # CERT_O=    # Cert organization
    # CERT_OU=    # Cert organization unit
    # CERT_COUNTRY=    # Cert country

    ## ---------- ## ---------- ## ---------- ## ---------- ## ---------- ##

    # Check all required executables exist
    req_execs=("cat" "chmod" "curl" "head" "mkdir" "mv" "openssl" "rm" "tr")
    for exe in "${req_execs[@]}"; do
        if [ ! $(command -v "$exe") ]; then
            echo "Required executable $exe not found"
            exit 1
        fi
    done

    if [ -z $EZCA_SCEP_STATIC_URL ]; then
        echo "EZCA_SCEP_STATIC_URL not set"
        exit 1
    fi

    SCEP_CHALLENGE=${SCEP_CHALLENGE:-'DEFAULT_SCEP_CHALLENGE'}

    CERT_CN=${CERT_CN:-'DEFAULT_CERT_CN'}
    CERT_O=${CERT_O:-'DEFAULT_CERT_O'}
    CERT_OU=${CERT_OU:-'DEFAULT_CERT_OU'}
    CERT_COUNTRY=${CERT_COUNTRY:-'US'}

    INSTALL_DIR=${INSTALL_DIR:-"$HOME/.local/share/keytos/scep_certs"}

    SCEPCLIENT_PATH=$INSTALL_DIR/scepclient
    KEY_PWD_PATH=$INSTALL_DIR/key.pwd
    NEW_KEY_PATH=$INSTALL_DIR/key.pem
    NEW_CER_PATH=$INSTALL_DIR/client.pem
    ENCRYPTED_KEY_PATH=$INSTALL_DIR/key.encrypted.pem
    CER_PATH=$INSTALL_DIR/certificate.pem

    # Only generate new certs if certs do not exist or certs will expire in two weeks
    if [ -f $CER_PATH ]; then
        TWO_WEEKS_IN_SECONDS=1209600
        if [[ $(openssl x509 -checkend $TWO_WEEKS_IN_SECONDS -noout -in $CER_PATH) ]]; then
            exit 0
        fi
    fi

    mkdir -p $INSTALL_DIR

    # Install SCEP client (pull from CDN)
    if [ ! -f $SCEPCLIENT_PATH ]; then
        curl 'https://download.keytos.io/Downloads/linux-scripts/scepclient-linux-amd64' --output $SCEPCLIENT_PATH
        chmod +x $SCEPCLIENT_PATH
    fi

    # Generate CERTS
    openssl genrsa -traditional -out $NEW_KEY_PATH 2048
    $SCEPCLIENT_PATH \
        -server-url ${EZCA_SCEP_STATIC_URL} \
        -private-key $NEW_KEY_PATH \
        -challenge ${SCEP_CHALLENGE} \
        -cn $CERT_CN \
        -organization $CERT_O \
        -ou $CERT_OU \
        -country $CERT_COUNTRY

    if [ ! $? -eq 0 ]; then
        rm -rf $INSTALL_DIR/*.pem $KEY_PWD_PATH
        exit 1
    fi

    rm $INSTALL_DIR/csr.pem

    # Encrypt key and rename files
    tr -dc A-Za-z0-9 </dev/urandom | head -c 16 > $KEY_PWD_PATH
    openssl rsa -aes256 -in $NEW_KEY_PATH -out $ENCRYPTED_KEY_PATH -passin pass:$(cat $KEY_PWD_PATH) -passout file:$KEY_PWD_PATH
    mv $NEW_CER_PATH $CER_PATH
    rm -f $NEW_KEY_PATH $NEW_CER_PATH
  10. This Script will create a certificate with the values provided and will store the certificate in the user’s home directory under the folder ~/.local/share/keytos/scep_certs. It will also automatically renew the certificate if it is about to expire. Set your configuration values for how often want the script to run and then click “Review + Save”. How to add Linux SCEP certificate configuration profile in intune How to add Linux SCEP certificate configuration profile in intune
  11. Select your Scope, and click “Next”.
  12. Select your Assignments, and click “Next”. How to add Wifi certificate configuration for Linux profile in intune How to add Wifi certificate configuration for Linux profile in intune
  13. Click “Create” How to save Linux SCEP certificate configuration profile in intune How to save Linux SCEP certificate configuration profile in intune
  14. This will now create a profile that will issue certificates to Linux devices. If you want to also setup Linux Wifi Profile in Intune you can do so by following the guide.