SCEPman shall implement a fully unattended Certificate Authority for Microsoft Intune based device certificate deployment described in this document:
“In Microsoft Intune, you can add third-party certificate authorities (CA), and have these CAs issue and validate certificates using the Simple Certificate Enrollment Protocol (SCEP). Add third-party certification authority provides an overview of this feature, and describes the Administrator tasks in Intune.”
The intended implementation is a .net core C# based Azure WebApp providing the SCEP and Intune API, using Bouncy Castle to implement the necessary certificate request handling and Azure Key Vault based RootCA and certificate signing. No other component should be involved, neither a database nor any other stateful storage except the Key Vault. That said, the concept will not need any backup procedures.
Register an application in Azure Active Directory
Add a new app registration in Azure Active Directory
- Login to your Azure Portal with an Admin Account.
- Navigate to Azure Active Directory
- Choose App registrations
- Click New registration
- Set supported account types to Accounts in this organizational directory only
- Save the Application (client) ID somewhere because you will need it for the deployment
Create a client secret
- Select the Certificates & secrets blade
- Add a new client secret with New client secret
- Define a Description and set expiration to Never
- Save the generated secret somewhere because you are not able to look it up again
Set API permissions
- Select the API permissions blade
- Click Add a permission to grant required permissions
- Select Intune
- Choose Application permissions as the permission type
- Click scep_challenge_provider and confirm with Add permission
- Click Add a permission once again
- Select Microsoft Graph
- Expand Dirctory and check Directory.Read.All and confirm with Add permission
- Click Grant admin consent and confirm the displayed dialog with Yes
Deploy to Azure
When the app registration is done use this button to deploy SCEPMan to your Azure subscription.
Instead, you can also Deploy the Beta Channel.
- Select an existing resource group or create a new one. The SCEPMan resources will be deployed in this resource group.
- Set the location according to your location
- Insert the GUID of the app registriation which you have created in the steps before
- Insert the client secret of this app registration
- Define a name for key vault, app service plan and web site
- Agree to the terms and conditions by clicking the checkbox
- Click Purchase
Sometimes it is necessary to restart the app service before SCEPMan runs properly.
Create root certificate
- Send a post request to certsrv/mscep/mscep.dll/pkiclient.exe/create-root
- Please look into the logs in case of any error.