How-To: Issue SCEP Certificates in Apple Configurator

Learn how to issue SCEP certificates to devices using Apple Configurator and an EZCA SCEP CA

Overview - What is Apple Configurator?

Apple Configurator is a macOS application that allows administrators to configure and deploy iOS, iPadOS, and tvOS devices in bulk. It provides tools for creating and installing configuration profiles, including SCEP certificates, on Apple devices.

Does Apple Configurator Support SCEP Certificates?

Yes. Apple Configurator has built-in support for creating and deploying SCEP certificates to Apple devices. You can use Apple Configurator to create a configuration profile that includes a trusted Certificate and SCEP payload, which can then be installed on your devices to issue SCEP certificates from your EZCA SCEP CA.

When using Apple Configurator to issue SCEP certificates, you can use Apple’s built-in variables to dynamically populate the Subject and Subject Alternative Name (SAN) fields of the issued certificates with device-specific information, such as the device’s hardware UUID or hostname. This allows for more personalized certificates that can be used for a variety of use cases, such as Wi-Fi or VPN authentication.

Apple’s Built-In Variables

Variable	Substitution
`%ComputerName%`	The Mac computer’s name, as set in Sharing (in System Settings > General for macOS 13 or later, or in System Preferences for macOS 12.0.1 or earlier).
`%HardwareUUID%`	The Mac computer’s unique identifier.
`%HostName%`	The Mac computer’s DNS name, such as mac1.betterbag.com.
`%LocalHostName%`	The Mac computer’s local network name, such as Mac1.local.
`%MACAddress%`	The Mac computer’s Ethernet (en0) MAC address.
`%SerialNumber%`	The Mac computer’s serial number.

A good set of values to use would be:

Subject: CN=%HardwareUUID%
DNS SAN: %HostName%

Can I Use Apple Configurator-Issued SCEP Certificates for Wi-Fi or VPN?

Yes! Once you issue SCEP certificates to your devices using Apple Configurator, you can use them like any X.509 certificate. This means you can use them for Wi-Fi authentication, VPN authentication, or any other use case that requires a client certificate. The use of Apple’s built-in variables allows for more personalized certificates that can be tailored to specific devices.

What Types of Apple Devices Can I Issue SCEP Certificates To with Apple Configurator?

Apple Configurator supports managing iOS, iPadOS, tvOS, and macOS devices. This means you can issue SCEP certificates to iPhones, iPads, Apple TVs, and Macs using the custom profile method described in this guide.

How to Configure Apple Configurator to Issue SCEP Certificates - Step-by-Step Guide

The following steps will guide you through the process of configuring Apple Configurator to issue SCEP certificates from your EZCA SCEP CA using Custom Profiles.

Prerequisites for Configuring Apple Configurator with SCEP

You will need a macOS device with Apple Configurator installed to create the custom profile.
You will need an EZCA SCEP CA set up and ready to issue certificates.

How to Download Your Root and/or SCEP CA Certificates from EZCA

To establish trust for your SCEP certificates, you will need to download and later push the CA certificate(s) for your SCEP CA to your devices. If your SCEP CA is a subordinate CA, you will need to download both the root and SCEP CA certificates. If your SCEP CA is a root CA, you will only need to download the SCEP CA certificate.

Navigate to your EZCA portal and sign in as a PKI Administrator.
Click on the Certificate Authorities tab and scroll to your SCEP CA.
Click on the View Requirements button for your SCEP CA.
Scroll down to the CA Locations section and click on the Download Certificate button for your CA.
If your SCEP CA is a subordinate CA, repeat the process to download the root CA certificate as well.

How to Enable Static SCEP Challenge in Your EZCA SCEP CA

Before you can create a custom profile for SCEP in Apple Configurator, you need to ensure that your EZCA SCEP CA is configured to use a static challenge.

Navigate to your EZCA portal and sign in as a PKI Administrator.
Click on the Certificate Authorities tab and scroll to your SCEP CA.
Click on View Requirements for your SCEP CA.
Check the box for Enable SCEP Static Challenge and click Save Changes. You will now see your Static Challenge SCEP URL and SCEP Challenge:

How to Create a Configuration Profile in Apple Configurator for SCEP

Start on a macOS device with Apple Configurator installed.
Open Apple Configurator, and click on File → New Profile to create a new configuration profile.
Fill out the General section with a name, identifier, and description for the profile.
Click on the Certificates section and then click on the Configure button to add a new certificate payload.
Select the CA certificate you downloaded from EZCA and upload it to the profile. This will ensure that the CA certificates are pushed to the devices and that they trust the SCEP CA.
Repeat the process to upload the root CA certificate if your SCEP CA is a subordinate CA.
Next, click on the SCEP section and click on the Configure button to add a new SCEP payload.
Copy the Static Challenge SCEP URL from your EZCA portal and paste it into the URL field in Apple Configurator. Do the same for the Static Challenge in the Challenge field.
Configure the remaining fields:
- Name: Set as the name of your SCEP CA
- Subject: Use a static value or Apple’s built-in variables (e.g. CN=%HardwareUUID%)
- Subject Alternative Name Type: Set as DNS Name
- Subject Alternative Name Value: Use a static value or Apple’s built-in variables (e.g. %HostName%)
- Key Size: Set as 2048 or higher.
- Key Usage: Set as “Sign” and “Key Encipherment”.
You should now have a complete SCEP configuration in your custom profile:
Save the profile to your device as a .mobileconfig file.

How to Install a Configuration Profile on macOS

Now that you have created a configuration profile for SCEP in Apple Configurator, you can install it on your device.

Note on System vs. User Profiles

When a profile is manually installed on a device, it will issue the certificate to the User’s keychain and not the System keychain. Only MDM solutions can issue certificates to the System keychain. This means that if you manually install the profile created in Apple Configurator, the SCEP certificate will be issued to the User keychain and will only be available for that user. If you want the certificate to be available system-wide, you will need to upload the profile to an MDM solution like Intune or Jamf and deploy it to your devices.

Double-click the .mobileconfig file you saved from Apple Configurator.
Open Settings. In the top-right of the page, click Profile Downloaded. You will see the profile you just created in Apple Configurator under Downloaded.
Double-click on the profile to view its contents and click Install….
Your trusted certificates will now be installed, and the device will attempt to enroll in SCEP and request a certificate from your EZCA SCEP CA.

How to Verify Your Apple Devices Received the SCEP Certificate

To verify that your devices have received the SCEP certificate, you can check the device’s certificate store via the Keychain Access app on macOS.

Open the Keychain Access app on your macOS device.
In the left sidebar, select login.
Select the Certificates category.
You will now see both the CA certificate(s) you uploaded in the profile and the SCEP certificate issued to the device.