How-To: Issue SCEP Certificates with EZCA Cloud PKI

Looking for a simple and cost effective way to issue SCEP certificates to your devices? Learn how you can issue unlimited user and device certificates for Wi-Fi, VPN, Email and more with EZCA’s cloud based SCEP CA.

Introduction to SCEP Certificate Authorities (CAs)

The Simple Certificate Enrollment Protocol (SCEP) is the industry standard for issuing certificates to your laptops, phones, desktops and other devices from a Certificate Authority (CA). SCEP CAs work together with your Mobile Device Management (MDM) solution (like Microsoft Intune or Jamf) to automatically issue and install certificates on your devices. This allows you to use certificates for Wi-Fi, VPN, Email and other use cases without having to manually install certificates on each device.

It only takes a few minutes to set up a SCEP CA in EZCA for your Intune, Jamf, or other MDM provider. Check out our getting started guide to learn how to create your first CA in Azure and then follow the steps below to create your SCEP CA.

🚀 Deploy a SCEP CA in 5 Minutes

How Much Do SCEP Certificates Cost?

All EZCA tiers include unlimited SCEP certificates with no additional per-certificate cost. This means you can issue as many SCEP certificates as you need without having to worry about additional costs.

EZCA Cloud PKI Includes Unlimited SCEP Certificates for No Additional Cost

Even for large organization with tens of thousands of devices or more, you only pay the flat fee for the CA and then you can issue as many SCEP certificates as you need, within the rate limits of your tier, at no additional cost.

What Types of SCEP Does EZCA Support?

Depending on your MDM solution and devices, you may need to use Intune SCEP, Static SCEP, or Dynamic SCEP. EZCA supports all three types of SCEP and you can choose which one is best for your environment.

  • ✅ Static SCEP: Static SCEP is the most basic type of SCEP where you have a single “challenge” which is used to authenticate with the CA to create a certificate. While this is the easiest to set up, it is not the most secure as anyone who has the challenge can request a certificate from the CA.
  • ✅ Dynamic SCEP: Dynamic SCEP is more secure than Static SCEP as it uses a unique challenge for each certificate request. However, not all MDM solutions support Dynamic SCEP.
  • ✅ Intune SCEP: Microsoft Intune uses a unique SCEP implementation that layers on some additional security and capabilities. If you are using Intune to distribute certificates, you will need to use Intune SCEP.

Do I Need a Root Certificate Authority (CA)?

One of the most common questions we get in our free PKI assessments is if you need to create Root CA for your SCEP CA or if you should create the SCEP CA as the Root CA. PKI Best practices recommend a two tier PKI where you have your offline Root CA and then your online issuing CAs that each issued a different type of certificate. This helps prevent impersonation by someone issuing a certificate for a different purpose and allows you to push the Root to all your devices and don’t have to manually trust each individual CA.

Two Tier PKI with Root CA, SCEP CA, Smartcard CA and SSL CA

However, if you are cost constrained and you are not issuing certificates for different purposes in the future (remember CAs last up to 10 years), you can create a single tier PKI where your SCEP CA is your Root CA.

What Tools and MDM Solutions Does EZCA Support?

While EZCA is designed to work with any tool or MDM solution that supports SCEP, we have built out specific integrations and documentation for the most popular tools and MDM solutions.

EZCA Cloud PKI Supports All MDM Solutions that Support SCEP
  • ✅ Microsoft Intune: EZCA integrates directly into Microsoft Intune for easy certificate distribution to your devices. Check out our Intune SCEP documentation to learn how to distribute certificates to your Intune managed devices.
  • ✅ Jamf: EZCA also integrates with Jamf Now, Pro, and School for easy certificate distribution to your Apple devices. Check out our Jamf SCEP documentation to learn how to distribute certificates to your Jamf managed devices.
  • ✅ ManageEngine Plus: If you are using ManageEngine Plus for your certificate management, EZCA can integrate with it to provide SCEP certificate issuance. Check out our ManageEngine Plus SCEP documentation to learn how to distribute certificates to your ManageEngine Plus managed devices.
  • ✅ Apple Configurator/Business Manager: If you are using Apple Configurator to manage your Apple devices, EZCA can integrate with it to provide SCEP certificate issuance. Check out our Apple Configurator SCEP documentation to learn how to distribute certificates to your Apple Configurator managed devices.
  • ✅ EZCA Certificate Client: If you are not using an MDM solution or you want to use SCEP for a different use case, you can use the EZCA Certificate Client to request certificates directly from your SCEP CA. Check out our EZCA Certificate Client documentation to learn how to use the EZCA Certificate Client to request certificates from your SCEP CA.
  • ✅ Other MDM Solutions: If you are using a different MDM solution that supports SCEP, you can still use EZCA to create your SCEP CA and distribute certificates to your devices.