SCEP with Intune

Configuration of SCEP - protocol that simplifies certificate deployment

The Simple Certificate Enrollment Protocol (SCEP) is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI. The following instructions explain how to set up SCEP and IronWifi with Microsoft Intune.

What do you need ?

  • owner_id - owner id is a unique identifier of your IronWiFi account that can be found in the URL when you're logged in, it should look similar to this - abcdefg12345678 or domain-abcd1234
  • region - region where your data resides and authentication requests are processed - us-east1, console, asia-northeast1, etc
  • SCEP Server URL - build the URL in this format - https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates/scep.

    Note that for Windows profiles, "/scep" needs to be removed since it is appended by the Intune application automatically - https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates

  • IronWiFi CA Certificate - certificate of the CA signing the CSR requests. This can be downloaded from this link

  • Trusted IronWiFi Server Certificate - server certificate signed by a trusted CA. This file can be downloaded from this link
  • Comodo CA Certificate - certificate of the CA that signed our RADIUS server certificates. This can be downloaded from this link

!Note! Your users must exist in the IronWiFi console or the SCEP connector's User Auto-Creation option must be enabled for this to work

  1. Sign in to the IronWifi Management Console and create a SCEP connector - click on Users -> Connectors -> Add New

  2. Sign in to the Microsoft Intune management console and create a new Trusted Certificate profile with the following configuration options:

  • Certificate file - ironwifi.crt
  • Destination store - Computer certificate store - Root
  1. Create a new Trusted Certificate profile with the following configuration options:
  • Certificate file - ironwifi_trusted.crt
  • Destination store - Computer certificate store - Root
  1. Create a new SCEP certificate profile with the following configuration options:
  • Profile Type - SCEP Certificate
  • Certificate type - User
  • Subject name format - CN={{SerialNumber}},O={{owner_id}},L={{region}}
  • Subject alternative name - Email address = {{UserPrincipalName}}
  • Certificate validity period - 10 Days
  • Key storage provider (KSP) - Enroll to Software KSP
  • Key usage - Key encipherment, Digital signature
  • Key size (bits) - 1024
  • Hash algorithm - SHA-1, SHA-2
  • Root Certificate - Your trusted certificate created in the first step
  • Extended key usage -
Name Object Identifier Predefined values
Client authentication 1.3.6.1.5.5.7.3.2 Client Authentication
  • Renewal threshold (%) - 20
  • SCEP Server URLs - https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates/scep
  1. Create a new Wi-Fi profile with the following configuration options:
  • Profile Type - Wi-Fi
  • Connect to more preferred network if available - No
  • Wi-Fi type - Enterprise
  • Wi-Fi name - Your SSID
  • Connection name - Your connection name
  • Connect automatically when in range - Yes
  • Connect to this network, even when it is not broadcasting its SSID - Yes
  • Metered Connection Limit - Unrestricted
  • Force Wi-Fi profile to be compliant with the Federal Information Processing Standard (FIPS) - No
  • Company proxy settings - none
  • Single sign-on (SSO) - Disable
  • EAP type - EAP - TLS
  • Certificate server names - radius.ironwifi.com
  • Root certificates for server validation - The trusted certificate created in the second step
  • Authentication method - SCEP certificate
  • Client certificate for client authentication (identity certificate) - Your SCEP certificate created in the third step

You should now see 4 profiles under Devices in your Microsoft Endpoint Manager admin center

In Microsoft Intune, your settings should look like below.

test test test