SCEP (Simple Certificate Enrollment Protocol) Integration Guide
This guide covers the implementation and configuration of SCEP (Simple Certificate Enrollment Protocol) support in PKIaaS, including Microsoft Intune integration for device certificate enrollment.
Overview
SCEP (RFC 8894) provides a standardized way for devices to automatically request and receive certificates. PKIaaS implements a complete SCEP server that is compatible with:
- Microsoft Intune - Device management and certificate deployment
- iOS/macOS - Native SCEP support for device enrollment
- Android - Enterprise mobility management solutions
- Network Equipment - Cisco, Juniper, and other network devices
- Custom Applications - Any SCEP-compliant client
SCEP Protocol Overview
SCEP Operations
PKIaaS supports all standard SCEP operations:
| Operation | Method | Purpose | Intune Compatible |
|---|---|---|---|
GetCACaps |
GET | Retrieve CA capabilities | ✅ Yes |
GetCACert |
GET | Download CA certificate | ✅ Yes |
PKIOperation |
POST | Certificate enrollment/renewal | ✅ Yes |
GetNextCACert |
GET | CA rollover support | ✅ Yes |
SCEP Message Flow
sequenceDiagram
participant Device
participant SCEP as PKIaaS SCEP Server
participant CA as Certificate Authority
Device->>SCEP: GetCACaps
SCEP-->>Device: Capability List
Device->>SCEP: GetCACert
SCEP-->>Device: CA Certificate
Device->>Device: Generate Key Pair
Device->>Device: Create PKCS#10 CSR
Device->>SCEP: PKIOperation (PKCS#7 with CSR)
SCEP->>SCEP: Verify Challenge Password
SCEP->>SCEP: Extract and Validate CSR
SCEP->>CA: Issue Certificate
CA-->>SCEP: Signed Certificate
SCEP-->>Device: PKCS#7 with Certificate
Configuration
SCEP Service Configuration
Configure SCEP settings in config/pki.php:
/*
|--------------------------------------------------------------------------
| SCEP (Simple Certificate Enrollment Protocol) Settings
|--------------------------------------------------------------------------
*/
// Enable SCEP server
'scep_enabled' => env('PKI_SCEP_ENABLED', true),
// SCEP challenge password requirement
'scep_challenge_required' => env('PKI_SCEP_CHALLENGE_REQUIRED', false),
// Default SCEP certificate validity in days
'scep_default_validity_days' => env('PKI_SCEP_DEFAULT_VALIDITY_DAYS', 365),
// SCEP renewal threshold in days
'scep_renewal_threshold_days' => env('PKI_SCEP_RENEWAL_THRESHOLD_DAYS', 30),
// SCEP maximum message size in bytes
'scep_max_message_size' => env('PKI_SCEP_MAX_MESSAGE_SIZE', 1048576), // 1MB
Environment Variables
Add SCEP configuration to .env:
# SCEP Configuration (Microsoft Intune compatible)
PKI_SCEP_ENABLED=true
PKI_SCEP_CHALLENGE_REQUIRED=false
PKI_SCEP_DEFAULT_VALIDITY_DAYS=365
PKI_SCEP_RENEWAL_THRESHOLD_DAYS=30
PKI_SCEP_MAX_MESSAGE_SIZE=1048576
Certificate Authority Configuration
Ensure you have an appropriate intermediate CA for SCEP certificates:
# Create SCEP-specific intermediate CA
php artisan pki:create-intermediate-ca \
--parent-ca-id=1 \
--common-name="SCEP Intermediate CA" \
--purpose="device_certificates" \
--key-size=4096 \
--validity-days=3650
Microsoft Intune Integration
Intune Configuration Steps
1. Create SCEP Certificate Profile
- Navigate to Microsoft Intune admin center
- Go to Devices → Configuration profiles
- Click Create profile
- Select:
- Platform: iOS/iPadOS, Windows 10 and later, or Android
- Profile type: SCEP certificate
2. Configure SCEP Settings
Basic Information: - Name: Company Device Certificate - Description: Automated certificate deployment for corporate devices
Configuration Settings:
Certificate type: User or Device
Subject name format: Common name
Subject alternative name:
- User principal name (user certificates)
- DNS name (device certificates)
Key storage provider: Trusted Platform Module (TPM) KSP (recommended)
Key usage: Digital signature + Key encipherment
Key size: 2048 or 4096 bits
Hash algorithm: SHA-256
SCEP Server Settings:
Root Certificate: [Select your Root CA certificate]
SCEP Server URLs: https://your-pkiaas-domain.com/api/v1/scep
Subject name: CN={{UserName}},O=YourCompany,C=US
Subject alternative name: UPN={{UserPrincipalName}}
Certificate validity period: 1 year
Key usage: Digital signature + Key encipherment
3. Assign to Groups
- In Assignments, select target groups
- Choose assignment type:
- Required - Automatic deployment
- Available for enrolled devices - On-demand installation
Challenge Password Configuration
For enhanced security with challenge passwords:
// In config/pki.php
'scep_challenge_required' => true,
'scep_challenge_length' => 32,
'scep_challenge_expiry_hours' => 24,
Generate challenge passwords:
# Generate challenge password for device enrollment
php artisan scep:generate-challenge --device-id="WIN-12345" --expires-in="24h"
SCEP Endpoints
Public SCEP Endpoints
All SCEP endpoints are publicly accessible (no authentication required):
GET /api/v1/scep?operation=GetCACaps
GET /api/v1/scep?operation=GetCACert
POST /api/v1/scep?operation=PKIOperation
GET /api/v1/scep?operation=GetNextCACert
Health and Information Endpoints
GET /api/v1/scep-info # Service information
GET /api/v1/scep/health # Health check
Client Configuration Examples
iOS/macOS Configuration Profile
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.security.scep</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.scep</string>
<key>PayloadUUID</key>
<string>12345678-1234-1234-1234-123456789012</string>
<key>PayloadDisplayName</key>
<string>Company SCEP Certificate</string>
<key>URL</key>
<string>https://your-pkiaas-domain.com/api/v1/scep</string>
<key>Subject</key>
<array>
<array>
<array>
<string>CN</string>
<string>%DeviceName%</string>
</array>
</array>
<array>
<array>
<string>O</string>
<string>Your Company</string>
</array>
</array>
</array>
<key>Challenge</key>
<string>optional-challenge-password</string>
<key>Keysize</key>
<integer>2048</integer>
<key>KeyType</key>
<string>RSA</string>
<key>KeyUsage</key>
<integer>5</integer>
<key>SubjectAltName</key>
<dict>
<key>dNSName</key>
<string>%DeviceName%.company.com</string>
</dict>
</dict>
</array>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.company.scep.profile</string>
<key>PayloadUUID</key>
<string>87654321-4321-4321-4321-210987654321</string>
<key>PayloadDisplayName</key>
<string>Company Device Certificate Profile</string>
</dict>
</plist>
Windows PowerShell Enrollment
# Windows SCEP enrollment using certreq
$scepUrl = "https://your-pkiaas-domain.com/api/v1/scep"
$challengePassword = "your-challenge-password" # Optional
# Create certificate request template
$template = @"
[Version]
Signature = "`$Windows NT`$"
[NewRequest]
Subject = "CN=$env:COMPUTERNAME,O=Your Company,C=US"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
2.5.29.17 = "{text}DNS=$env:COMPUTERNAME.company.com"
"@
# Save template and request certificate
$template | Out-File -FilePath "scep-request.inf"
certreq -new -config $scepUrl scep-request.inf scep-request.req
Linux/OpenSSL Client
#!/bin/bash
SCEP_URL="https://your-pkiaas-domain.com/api/v1/scep"
DEVICE_NAME="linux-client-001"
CHALLENGE_PASSWORD="optional-password"
# Generate private key
openssl genrsa -out device.key 2048
# Create certificate request
openssl req -new -key device.key -out device.csr -subj "/CN=$DEVICE_NAME/O=Your Company/C=US"
# Get CA certificate
wget "$SCEP_URL?operation=GetCACert" -O ca-cert.der
# Convert CA certificate to PEM
openssl x509 -inform DER -in ca-cert.der -out ca-cert.pem
# Create SCEP request (requires SCEP client tool)
# Example with sscep tool:
sscep enroll -c ca-cert.pem -k device.key -r device.csr -u "$SCEP_URL" -o device.crt
Certificate Profiles and Templates
Device Certificate Profile
For device authentication certificates:
// Certificate profile configuration
'device_certificate_profile' => [
'key_usage' => ['digitalSignature', 'keyEncipherment'],
'extended_key_usage' => ['clientAuth'],
'subject_template' => 'CN={{device_name}},OU=Devices,O={{organization}},C={{country}}',
'san_template' => [
'dns' => '{{device_name}}.{{domain}}',
'email' => 'device-{{device_name}}@{{domain}}'
],
'validity_days' => 365,
'auto_renewal_enabled' => true,
'renewal_threshold_days' => 30
]
User Certificate Profile
For user authentication certificates:
// User certificate profile configuration
'user_certificate_profile' => [
'key_usage' => ['digitalSignature', 'keyAgreement'],
'extended_key_usage' => ['clientAuth', 'emailProtection'],
'subject_template' => 'CN={{user_name}},OU={{department}},O={{organization}},C={{country}}',
'san_template' => [
'email' => '{{user_email}}',
'upn' => '{{user_principal_name}}'
],
'validity_days' => 365,
'auto_renewal_enabled' => true,
'renewal_threshold_days' => 30
]
Security Considerations
Challenge Password Security
When using challenge passwords:
- Generate Secure Passwords - Use cryptographically secure random generation
- Limited Lifetime - Set reasonable expiration times (24-48 hours)
- Single Use - Passwords should be used only once
- Secure Distribution - Use secure channels to distribute passwords
- Logging and Monitoring - Log all challenge password usage
SCEP Message Security
SCEP messages are protected by:
- PKCS#7 Encryption - Request messages are encrypted with CA public key
- PKCS#7 Signing - Response messages are signed by CA
- Certificate Verification - Client verifies CA certificate chain
- Message Integrity - Hash verification prevents tampering
Rate Limiting
Implement rate limiting for SCEP endpoints:
// In routes/api.php
Route::middleware(['throttle:60,1'])->group(function () {
Route::match(['GET', 'POST'], 'scep', [ScepApiController::class, 'handleGet']);
});
Monitoring and Troubleshooting
Health Monitoring
# Check SCEP service health
curl https://your-pkiaas-domain.com/api/v1/scep/health
# Expected response:
{
"status": "healthy",
"message": "SCEP service operational",
"capabilities": ["GetCACaps", "GetCACert", "PKIOperation"],
"timestamp": "2024-01-15T10:30:00Z"
}
SCEP Statistics
# Get SCEP service information
curl https://your-pkiaas-domain.com/api/v1/scep-info
# Response includes:
{
"service": "SCEP",
"version": "RFC 8894",
"capabilities": ["POSTPKIOperation", "Renewal", "SHA-256"],
"ca_certificates": 3,
"active_enrollments": 1250,
"recent_enrollments_24h": 45
}
Common Issues and Solutions
Certificate Enrollment Failures
Issue: PENDING or FAILURE responses
Causes:
- Invalid CSR format
- Unsupported key size
- Challenge password mismatch
- CA not available
Solutions: 1. Validate CSR format and key parameters 2. Check challenge password configuration 3. Verify CA status and availability 4. Review SCEP server logs
Intune Integration Issues
Issue: Devices not receiving certificates Causes: - Incorrect SCEP URL in profile - Network connectivity issues - Certificate profile misconfiguration - Root CA not trusted on devices
Solutions: 1. Verify SCEP URL accessibility from devices 2. Check network firewall rules 3. Validate certificate profile settings 4. Deploy root CA certificate to devices
Certificate Renewal Failures
Issue: Existing certificates not renewing Causes: - Auto-renewal disabled - Certificate not eligible for renewal - CA certificate expired - SCEP service unavailable
Solutions: 1. Enable auto-renewal in certificate profile 2. Check renewal threshold configuration 3. Verify CA certificate validity 4. Monitor SCEP service health
Debugging and Logging
Enable Debug Logging
# In .env
LOG_LEVEL=debug
PKI_LOG_CERTIFICATE_EVENTS=true
PKI_ENABLE_DETAILED_LOGGING=true
Log Analysis
Monitor SCEP operations:
# SCEP enrollment events
grep "scep_enrollment" storage/logs/laravel.log
# Certificate issuance
grep "certificate_issued" storage/logs/laravel.log
# SCEP errors
grep "scep_error" storage/logs/laravel.log
Performance Optimization
Caching Strategy
Optimize SCEP performance with caching:
// Cache CA certificates for SCEP
'scep_ca_cert_cache_minutes' => 60,
// Cache SCEP capabilities
'scep_capabilities_cache_minutes' => 1440, // 24 hours
// Cache certificate chains
'scep_chain_cache_minutes' => 60,
Database Optimization
Optimize database queries for SCEP operations:
-- Index for SCEP certificate lookups
CREATE INDEX idx_certificates_scep ON certificates(type, status)
WHERE type = 'scep';
-- Index for serial number lookups
CREATE INDEX idx_certificates_serial_scep ON certificates(serial_number, type)
WHERE type = 'scep';
Load Balancing
For high-availability SCEP deployments:
- Stateless Design - SCEP operations are stateless
- Database Sharing - Multiple instances can share the same database
- Certificate Consistency - Ensure CA certificates are synchronized
- Health Checks - Monitor each instance separately
This comprehensive SCEP implementation provides enterprise-grade device certificate enrollment compatible with Microsoft Intune and other mobile device management solutions.
Vous n'avez pas envie de la manager ?
Découvrir notre offre PKI As A Service