How-To: Issue SCEP Certificates in NinjaOne on Windows

Learn how to issue SCEP certificates to Windows devices using NinjaOne and an EZCA SCEP CA

Overview - Issuing SCEP Certificates with NinjaOne on Windows

In this guide, we will walk through the steps to configure NinjaOne to issue SCEP certificates from your EZCA SCEP CA to Windows devices using the EZCA Certificate Renewal Client. At a high level you will:

  1. Configure your EZCA SCEP CA to use a static SCEP challenge.
  2. Store your EZCA SCEP CA parameters (SCEP Endpoint URL, SCEP Challenge, CA Certificates, and CA Authority Subject Key Identifier) as NinjaOne custom fields.
  3. Create NinjaOne Automation Scripts to deploy CA certificates and request SCEP certificates from your EZCA SCEP CA.
  4. Create NinjaOne Scheduled Automations to run your scripts on a regular basis to ensure devices always have the necessary CA certificates installed and have a valid SCEP certificate issued from your EZCA SCEP CA.

Let’s get started!

How to Configure NinjaOne to Issue SCEP Certificates on Windows - Step-by-Step Guide

The following steps will guide you through the process of configuring NinjaOne to issue SCEP certificates to your Windows devices from your EZCA SCEP CA.

Prerequisites for Configuring NinjaOne with SCEP

  1. You will need a NinjaOne account with the appropriate permissions to create and deploy policies and scripts.
  2. You will need an EZCA SCEP CA set up and ready to issue certificates.

Step 1: How to Create Organization-Level Custom Fields in NinjaOne

To issue SCEP certificates in NinjaOne, you will need to store your EZCA SCEP Endpoint URL, SCEP Challenge, CA Certificates, and CA Authority Subject Key Identifier (SKI) in custom fields at the organization level. This allows you to easily reference these values in your script when requesting certificates from your SCEP CA. You can also override these values at a site or device level if needed, but for most use cases, organization-level custom fields should suffice.

  1. Log in to your NinjaOne portal and navigate to Administration > Organizations > Organization custom fields.

  2. Click on the + Add Custom Field button.

    Organization Custom Fields page in NinjaOne

  3. Refer to the table below for the Custom field type, Label, and Name of each custom field you need to create.

  4. Under the Permissions section, set the following:

    1. For Automations, set this to Read Only.
    2. For API, set this to None (unless you want to use the API to populate this field, in which case you can set this to Read/Write).
    3. For Technician access, set this to Editable (unless you want to restrict this field from being edited by technicians, in which case you can set this to Read Only or None).

  5. Under the Details section, set the Description to the value in the table below (or a description of your choice).

  6. Click on the Submit button to create the custom field.

Label Name Type Description
EZCA SCEP Endpoint ezcaScepEndpoint Text The URL of the EZCA SCEP Endpoint
EZCA SCEP Challenge ezcaScepChallenge Secure The static challenge for the EZCA SCEP CA, if applicable
EZCA CA Certificates ezcaCaCertificates Multi-line The CA certificate(s) for the EZCA SCEP CA, in PEM format with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters. If you have a separate Root CA and SCEP Subordinate CA, include both certificates concatenated together in this field, with the SCEP Subordinate CA certificate first followed by the Root CA certificate.
EZCA Authority Subject Key ezcaAuthoritySubjectKey Text The Subject Key Identifier (SKI) of the CA certificate, used to identify which CA to request from or renew with. Retrieved from EZCA > Certificate Authorities > View Requirements > Advanced Settings

You should now have a completed list of custom fields that looks like:

Custom Fields in NinjaOne

Step 2: How to Download Your Root and/or SCEP CA Certificates from EZCA

To establish trust for your SCEP certificates, you will need to download and push the CA certificate(s) for your SCEP CA to your devices. Let’s start by downloading each of the CA certificates in your PKI hierarchy from the EZCA portal. If you just have a single Root CA that is also your SCEP CA, you will just need to download that one CA certificate. If you have a separate Root CA and SCEP Subordinate CA, you will need to download both the Root CA certificate and the SCEP Subordinate CA certificate.

  1. Navigate to your EZCA portal and sign in as a PKI Administrator.

  2. Click on the Certificate Authorities tab and scroll to your SCEP CA.

  3. Click on the View Details button for your SCEP CA.

    Certificate Authorities in EZCA Portal

  4. Scroll down to the CA Locations section and click on the Download Certificate button for your CA.

    Download CA Certificates from EZCA Portal

  5. If your SCEP CA is a subordinate CA, repeat the process to download the root CA certificate as well.

  6. Keep these certificate files handy, as you will need to copy and paste their contents into the custom field you created in NinjaOne to store your CA certificates in an upcoming step.

  7. Switch back over to your NinjaOne portal and navigate to Dashboard > Overview > Organizations > [Your Organization]

    Edit Organization in NinjaOne

  8. Hover over the Custom tab and select Default fields

  9. Under Organization - Default fields, click the edit/pencil icon to edit the default organization custom fields.

    Organization Custom Fields in NinjaOne

  10. Open each of the CA certificate files you downloaded from EZCA in a text editor. You should see -----BEGIN CERTIFICATE----- at the beginning of the file and -----END CERTIFICATE----- at the end of the file, with a block of encoded text in between.

  11. Copy the entire contents of the CA certificate file, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

  12. Back in NinjaOne, paste the certificate contents into EZCA CA Certificates.

  13. Repeat the process for the second CA certificate if you have both a Root CA and SCEP Subordinate CA, making sure to paste the SCEP Subordinate CA certificate first, followed by the Root CA certificate, so that the certificates are in the correct order in the field.

  14. You should now have the CA certificate(s) both stored in the custom field and visible in the field preview.

    CA Certificates Stored in NinjaOne Custom Field

Step 3: How to Retrieve the CA Authority Subject Key Identifier (SKI) from Your EZCA SCEP CA

The CA Authority Subject Key Identifier (SKI) is a unique identifier for the CA certificate that is used when renewing SCEP certificates with EZCA. You will need to retrieve this value from your EZCA SCEP CA and store it in a custom field in NinjaOne so that your script can reference it when requesting and renewing certificates.

  1. Open your SCEP CA certificate file that you downloaded from EZCA in your OS’s default certificate viewer by double-clicking on the file.

  2. In the certificate viewer, navigate to the Details tab and look for the field called Subject Key Identifier. This is the value you need to retrieve.

    Subject Key Identifier in Certificate Details

  3. Back in NinjaOne, paste the Subject Key Identifier value into the EZCA Authority Subject Key custom field that you created earlier.

    CA Authority Subject Key Identifier Stored in NinjaOne Custom Field

Step 4: How to Enable Static SCEP Challenge in Your EZCA SCEP CA

EZCA SCEP CAs support static SCEP challenges, which allow you to set a fixed challenge value that devices must use when requesting certificates from the SCEP CA. Follow the steps below to enable a static SCEP challenge for your EZCA SCEP CA and retrieve the challenge value to use in your NinjaOne script.

  1. Navigate to your EZCA portal and sign in as a PKI Administrator.

  2. Click on the Certificate Authorities tab and scroll to your SCEP CA.

    Certificate Authorities in EZCA Portal

  3. Click on View Requirements for your SCEP CA.

  4. Check the box for Enable SCEP Static Challenge and click Save Changes. You will now see your Static Challenge SCEP URL and SCEP Challenge:

    SCEP CA Static Challenge in EZCA Portal

  5. Back in NinjaOne, paste the SCEP URL and SCEP Challenge values into the EZCA SCEP Endpoint and EZCA SCEP Challenge custom fields that you created earlier.

    SCEP Endpoint and Challenge Stored in NinjaOne Custom Fields

  6. Click Save to save your changes to the custom fields. They can now be used in your NinjaOne scripts to request certificates from your EZCA SCEP CA.

    Save Organization Custom Fields in NinjaOne

Step 5: How to Create an Automation Script in NinjaOne to Push CA Certificates to Devices

Before you can issue your first SCEP certificate to a device using NinjaOne, you need to ensure that the device trusts the CA certificate(s) for your SCEP CA. To do this, you can create an automation script in NinjaOne that retrieves the CA certificate(s) from the custom field you created and installs them into the appropriate certificate store on the device.

  1. In your NinjaOne portal, navigate to Administration > Library > Automation.

  2. Click on the + Add automation button and select New script.

    Create New Automation Script in NinjaOne

  3. Enter the following values under Create script:

    1. Name: EZCA - Trust CA Certificates
    2. Description: Install PEM-encoded CA certificate(s) from EZCA into the Trusted Root Certification Authorities and Intermediate Certification Authorities stores on Windows devices.
    3. Language: PowerShell
    4. Operating System: Windows
    5. Architecture: All
    6. Run as: System
    7. Script variables: None
    8. Parameters: None

  4. Copy and paste the contents of Install-EZCACertificatesFromPEM.ps1 into the script editor in NinjaOne.

  5. Click on the Save button to save your script.

    NinjaOne Script Editor with Install Certificates Script

Step 6: How to Create an Automation Script in NinjaOne to Issue SCEP Certificates

Another NinjaOne automation script is needed to request SCEP certificates from your EZCA SCEP CA. This script will reference the custom fields you created to retrieve the SCEP Endpoint, SCEP Challenge, CA Certificates, and CA Authority Subject Key Identifier (SKI) values when requesting certificates.

  1. Click on the + Add automation button again and select New script.

    Create New Automation Script in NinjaOne

  2. Enter the following values under Create script:

    1. Name: EZCA - Request & Renew SCEP Certificate
    2. Description: Request or renew a SCEP certificate from EZCA SCEP CA using the parameters stored in custom fields.
    3. Language: PowerShell
    4. Operating System: Windows
    5. Architecture: All
    6. Run as: If issuing device/machine certificates, select System. If issuing user certificates, select Current user.
    7. Parameters: None

  3. Under Script variables, add a Dropdown variable with the following values:

    1. Make variable mandatory: Enabled
    2. Name: Certificate Scope
    3. Description: Select whether to issue the certificate to the current user or local machine store. If issuing user certificates, set Run as to Current user. If issuing device/machine certificates, set Run as to System.
    4. Option value: Add CurrentUser and LocalMachine
    5. Click Add to add the variable.
    NinjaOne Script Variable for Certificate Scope

  4. Copy and paste the contents of Create-EZCASCEPCertificateWithRenewal.ps1 into the script editor in NinjaOne.

  5. Click on the Save button to save your script.

    NinjaOne Script Editor with Install SCEP Script

Step 7: How to Run Your NinjaOne Automation Script to Deploy CA Certificates and Issue SCEP Certificate

Now that you have your automation scripts created in NinjaOne, you can run them on your target devices to first deploy the CA certificates and then request SCEP certificates from your EZCA SCEP CA.

  1. In your NinjaOne portal, navigate to Administration > Policies > Agent policies.

  2. Click on your existing agent policy (or create a new one):

    Edit Agent Policy in NinjaOne

  3. Under Scheduled Automations, click Add a Scheduled Automation.

    Add Scheduled Automation to NinjaOne Agent Policy

  4. Enter the following values for your scheduled automation:

    1. Name: EZCA - Install CA Certificates & Issue SCEP Certificate
    2. Description: Install CA certificates for EZCA SCEP CAs and issue SCEP certificate.
    3. Schedule: Run Once Immediately. This executes the automation right away on any online device. For offline devices, it will run as soon as they come online, and it will also apply to any new devices added to the policy in the future.
    4. Channels: Set as desired.
    5. Notify Technicians: Set as desired.

  5. Next to Automations click Add.

  6. Search for “EZCA” and select EZCA - Trust CA Certificates.

  7. Keep Run As set to System and leave Preset Parameter blank.

  8. Click Apply to add the automation.

    Add Install CA Certificates Script to NinjaOne Scheduled Automation

  9. Next to Automations click Add again to add another scheduled automation to issue a SCEP certificate after the CA certificates have been installed.

  10. Search for “EZCA” and select EZCA - Request & Renew SCEP Certificate.

  11. If issuing machine/device certificates, set Run As to System. If issuing user certificates, set Run As to Current Logged On User.

  12. Keep Preset Parameter blank.

  13. Set CertificateScope to LocalMachine if issuing machine/device certificates or CurrentUser if issuing user certificates.

    Add Request & Renew SCEP Certificate Script to NinjaOne Scheduled Automation

  14. Click Apply to add the automation.

  15. Click Add to save your scheduled automation.

    Request & Renew SCEP Certificate Scheduled Automation Added to NinjaOne Agent Policy

Step 8: How to Run Your NinjaOne Automation Script to Issue SCEP Certificates

In the previous step you configured your devices to trust your EZCA CA certificates and you issued the initial SCEP certificate to your devices. However, SCEP certificates typically have a relatively short validity period (e.g. 1 year or less) and need to be renewed regularly to ensure that devices always have a valid certificate. To automate the renewal process, you can add one more Scheduled Automation which runs periodically to check the expiration date of the installed SCEP certificate and automatically renew it with your EZCA SCEP CA when it is close to expiring.

  1. Under Scheduled Automations in your NinjaOne agent policy, click Add a Scheduled Automation to add another scheduled automation.

    Add Scheduled Automation to NinjaOne Agent Policy

  2. Enter the following values for your scheduled automation:

    1. Name: EZCA - Request & Renew SCEP Certificate
    2. Description: Renew a SCEP certificate from EZCA SCEP CA. Issues a new certificate if the existing certificate is expired or missing.
    3. Schedule: If you want to issue device/machine certificates, select On System Startup. If you want to issue user certificates, select On User Logon. This ensures that the script runs when the device starts up or when the user logs in, which is a good time to check for certificate renewal as well. You can choose Daily, but note that this will not run if the device is offline during the scheduled time, so it may not be as reliable for ensuring timely certificate renewal.
    4. Channels: Set as desired.
    5. Notify Technicians: Set as desired.

  3. Search for “EZCA” and select EZCA - Request & Renew SCEP Certificate.

  4. If issuing machine/device certificates, set Run As to System. If issuing user certificates, set Run As to Current Logged On User.

  5. Keep Preset Parameter blank.

  6. Set CertificateScope to LocalMachine if issuing machine/device certificates or CurrentUser if issuing user certificates.

  7. Click Apply to add the automation.

    Add Request & Renew SCEP Certificate Script to NinjaOne Scheduled Automation

  8. Click Add to save your scheduled automation.

    Request & Renew SCEP Certificate Scheduled Automation Added to NinjaOne Agent Policy

  9. Make sure to Save your policy to apply the new Scheduled Automations:

    Save NinjaOne Agent Policy

  10. Your devices will now automatically check for certificate renewal on the schedule you set and request a new SCEP certificate from your EZCA SCEP CA when the existing certificate is close to expiring, ensuring that your devices always have a valid certificate installed.

Step 9: How to Verify SCEP Certificate Issuance and Renewal on Your Devices

Now that you have your scheduled automations set up to issue and renew SCEP certificates from your EZCA SCEP CA, you can verify that the certificates are being installed correctly on your devices.

  1. In NinjaOne, navigate to Devices and select a device you want to validate.

    Select Device in NinjaOne

  2. Hover over the Actions tab and select All to view all actions for the device.

  3. You should see both the EZCA - Trust CA Certificates and EZCA - Request & Renew SCEP Certificate actions in the list, with the status of each.

    Device Activities in NinjaOne

You can also check on the device itself to verify that a SCEP certificate was installed correctly.

  1. If you issued the certificate to the local machine store, open the Certificates MMC snap-in for the local machine by running certlm.msc (or searching for it in the Start Menu). If you issued the certificate to the current user store, run certmgr.msc instead.

  2. Open Personal > Certificates to view all installed certificates in the Personal store (either for the local machine or current user, depending on where you issued the certificate).

  3. You should see the SCEP certificate that was issued from your EZCA SCEP CA.

    Certificates MMC Snap-in Showing Issued SCEP Certificate

Enjoying EZCA? Leave Us a Review!

We hope you’re enjoying using EZCA to issue your SCEP certificates in NinjaOne! If you have a moment, we would greatly appreciate it if you could leave us a review on G2. Your feedback helps other IT professionals discover EZCA and helps us continue to improve our service. Thank you for your support!