Configuring SCEP

This section describes how to specify settings that allow the device to obtain certificates from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). For information about certificate pinning for SCEP enrollment configurations, see "Configuring certificate pinning for registered devices" in the Security Settings > Certificate Mgmt section of the Ivanti EPMM System Manager Guide.

Create the SCEP enrollment certificate

To create a new SCEP certificate of enrollment:

  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > SCEP.
  2. Use the following guidelines to specify the settings:

    • Name: Enter brief text that identifies this group of settings.
    • Description: Enter additional text that clarifies the purpose of this group.
    • Centralized: Ivanti EPMM retrieves certificates on behalf of devices. Ivanti EPMM also manages the certificate lifetime and triggers renewals. See “SCEP proxy functions”.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • Store keys on Ivanti EPMM:

      Specifies whether Ivanti EPMM stores the private key sent to each device. When storing key is enabled, private keys are encrypted and stored on the local Ivanti EPMM.

      If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • Proxy requests through Ivanti EPMM:

      This feature is not available for Android devices.

      When this option is enabled, Ivanti EPMM acts as a reverse proxy between devices and the target certificate authority. This option is only available when Decentralized is selected.

    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • Device Certificate: Specifies that the certificate is bound to the given device.
    • URL: Enter the URL for the SCEP server.
    • CA-Identifier: (Optional) Enter the name of the profile for SCEP servers that support named-profiles.
    • Subject: Enter an X.509 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user’s fully qualified domain name. For example,

      C=US,DC=com,DC=ivanti,OU=InfoTech or

      CN=www.ivanti.com.

      You can also customize the Subject by appending a variable to the OID. For example, CN=www.ivanti.com-$DEVICE_CLIENT_ID$.

      For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user’s FQDN.

    • Subject Common Name Type: Select the CN type specified in the certificate template. If you enter the $USER_DN$ variable in the Subject field, select None from the drop-down list.
    • Microsoft User Security Identifier: Select the check box to include a non-critical extension with OID 1.3.6.1.4.1.311.25.2 and the value of substitution variable $USER_SID$. If the LDAP user has no SID, the extension will not be included. Using this option may not have any impact on decentralized requests for some OS platforms. Refer to the below 'Subject Alternative Name Value' section as an alternative.

    • Key Usage: Specify acceptable use of the key by signing.
    • Encryption: Specify acceptable use of the key by encryption.
    • Key Type: Specify the key type.
    • Key Length: The values are 1024, 1536, 2048 (the default), 3072, and 4096.
    • CSR Signature Algorithm: The values are SHA1, SHA256, SHA384 (default), and SHA512.
    • Finger Print: The finger print of the CA issuing the root certificate.
    • Challenge Type: Select None, Microsoft SCEP, or Manual to specify the type of challenge to use. The Challenge Type will depend on what the NDES server is configured to use.
    • Challenge URL: For a Microsoft SCEP challenge type, enter the URL of the trustpoint defined for your Microsoft CA.
    • User Name: Enter the user name for the Microsoft SCEP CA.
    • Password: Enter the password for the Microsoft SCEP CA.
    • Subject Alternative Names Type: Select NT Principal Name, RFC 822 Name, Uniform Resource Identifier or None, based on the attributes of the certificate template. You can enter four alternative name types.

      If this SCEP setting is for authenticating the device to the Standalone Sentry using an identity certificate: select NT Principal Name and select Distinguished Name for a second Subject Alternative Name

    • Subject Alternative Names Value: Select the Subject Alternate Name Value from the drop-down list of supported variables. You can also enter custom variables in addition to and instead of the supported variables.

      If the certificate request does not support the extension to use "Microsoft User Security Identifier", such as a decentralized request from an Apple device, instead you can use a SAN URL with tag:microsoft.com,2022-09-14:sid:$USER_SID$, provided the LDAP user has the SID value.

      If this SCEP setting is for authenticating the device to the Standalone Sentry using an identity certificate: enter $USER_UPN$ for the value corresponding to NT Principal Name and enter $USER_DN$ for the value corresponding to Distinguished Name.

  3. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  4. Click Save.

    You cannot make changes to the saved SCEP settings. When you open a saved SCEP setting, the Save button is disabled.

    If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

X.509 Codes

The Subject field uses an X.509 distinguished name. You can use one or more X.509 codes, separated by commas. This table describes the valid X.509 codes:

Table 86.  X.509 Codes

Code

Name

Type

Max Size

Example

C

Country/Region

ASCII

2

C=US

DC

Domain Component

ASCII

255

DC=company, DC=com

S

State or Province

Unicode

128

S=California

L

Locality

Unicode

128

L=Mountain View

O

Organization

Unicode

64

O=Company Name, Inc.

OU

Organizational Unit

Unicode

64

OU=Support

CN

Common Name

Unicode

64

CN=www.company.com

If the SCEP entry is not valid, then you will be prompted to correct it; partial and invalid entries cannot be saved.

SCEP proxy functions

You can enable SCEP proxy functions. The benefits for this include:

  • A single certificate verifies Exchange ActiveSync, Wi-Fi, and VPN configurations
  • There is no need to expose a SCEP listener to the Internet.
  • Ivanti EPMM can detect and address revoked and expired certificates.

Uploading a Certificate Authority chain for SCEP enrollment configurations

With Ivanti EPMM 11.4.0.0 and later releases, you can upload a specific Certificate Authority (CA) chain for Simple Certificate Enrollment Protocol (SCEP) enrollment configurations. In some cases, the SCEP CA may send more CA certificates than you need. When you need to use a specific certificate chain, use this feature to upload that exact chain.

Before you begin 

  • You must have a valid SCEP enrollment configuration to use this feature. See Create the SCEP enrollment certificate. If you do not upload a CA chain, Ivanti EPMM continues its previous behavior of using the CA certificates directly acquired from the SCEP server.

    The option to upload the CA chain is available only for SCEP enrollment configurations. Certificate enrollment settings such as System - Mutual Auth CE setting use a local CA, which is already available on Ivanti EPMM.

  • Client mutual authentication must be enabled to use this feature. See Mutual authentication client identity certificate.

Procedure 

  1. From the Admin Portal, navigate to the Settings > System Settings > Security > Certificate Authentication > Client Mutual Certificate Authentication page.

  2. From the Certificate Enrollment Setting menu, select one of the SCEP enrollment configurations from the dropdown menu.

  3. Select the option to upload the CA certificate chain.

  4. After uploading the CA certificate chain, click Save.