How to Enable SCEP Service in PKI Trust Manager

Prerequisites

• How to Publish a Certificate Template in PKI Trust Manager
• How to Deploy Microsoft CA / AD CS Proxy Gateway
• How to Deploy CertAPI Container on Azure
• How to Deploy PKI Trust Mananger

Let us begin at the ISSUING Certification Authority that has been previously integrated with PKI Trust Manager using the CA Proxy Gateway. We will Duplicate the “Enrollment Agent” and “CEP” Templates while granting the CA Proxy Gateway Service account Read and Enroll Permissions. In our demo the duplicated templates are named: SCEP-Sign and SCEP-ENC

Let us take a closer look. Right Click on Certificate Templates and then click on Manage.

Duplicate the CEP Encryption Template as well as the Enrollment Agent Template and name them SCEP-ENC and SCEP-Sign respectively

Ensure that the both duplicated templates grant the PKI Trust Manager CA Proxy Gateway service account Read and Enroll Permissions.

Now, over on the PKI Trust Manager Web Admin, Click on Certification Authorities.

Click Details to access the Certification Authority which will be used for SCEP.

Click View Templates to see the available certificate templates for configuration.

As seen here, We have already published the SCEP-ENC and SCEP-Sign templates on the PKI Trust Manager as well. Proceed by clicking on the “NEW” button on the top-right while we proceed to show the details of how the new template should be configured.

There are three things that need to be configured for SCEP-ENC. 1st is the name of the template that will be displayed on PKI Trust Manager 2nd is the name of the template that we configured on the Certification Authority called SCEP-ENC and 3rd is enabling is Agent Certificate as shown in the screen capture here. Save the template after entering these details.

For SCEP-Sign There are also three things that need to be configured. 1st is the name of the template that will be displayed on PKI Trust Manager 2nd is the name of the template that we configured on the Certification Authority called SCEP-Sign and 3rd is enabling is Agent Certificate as shown in the screen capture here.

Once the corresponding Enrollment Agent and CEP templates have been provisioned, we will need to create a SCEP Listener Endpoint. Head over to the Integrations page and click the “NEW” butto

In the new integration form, select the appropriate Organization. By default, it is the System Organization. In the Type dropdown menu – select SCEP.

Once SCEP is selected from the dropdown, the Certificate Configuration should automatically populate. If it does not, ensure that the Certification Authority and its templates are attached to the Organization that was selected above.

Proceed to provide it a Name and select the Certificate Template that will be used by theSCEP interface.

Select a template to fulfill the Certificate Requests. In our demo, we will utilize the previously provisioned user template.

Please provide a resolvable URL for the CERT API Container. This URL must be unique and can be a CNAME or an Alias that directs to the CERT API Container

Now that you have successfully configured the SCEP Interface, let us proceed to obtain the SCEP Challenge Password. The SCEP Challenge Password in PKI Trust Manager is associated with a user. You can utilize either an Organization Admin User or a Service User Account specifically designated for SCEP. In this demonstration, we will use the existing user to retrieve its SCEP Challenge Password.

In the User Profile, click on SCEP Password to generate and retrieve the password for the SCEP service.

This will display a window containing the Challenge Password along with its validity period, as specified in the Environment variable of the Container. Utilize this Challenge Password to enroll Network Devices, MDM, or any other service that employs the standard SCEP.

Congratulations!, You have successfully enabled the SCEP Service in the PKI Trust Manager by configuring the necessary certificate templates and settings. If you require more information, please refer to the documentation or contact support