SCEP with Intune

Configuration of SCEP - protocol that simplifies certificate deployment

The Simple Certificate Enrollment Protocol (SCEP) is a protocol that allows devices to easily enroll for a certificate by using a URL and a shared secret to communicate with a PKI.

This is an example of setting up SCEP with IronWiFi and Microsoft Intune.

What do you need ?

  • owner_id - owner id is a unique identifier of your IronWiFi account that can be found in the URL when you're logged in, it should look similar to this - abcdefg12345678 or domain-abcd1234
  • region - region where your data resides and authentication requests are processed - us-east1, console, asia-northeast1, etc
  • SCEP Server URL - build the URL in this format - https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates/scep.

    Note that for Windows profiles, "/scep" needs to be removed since it is appended by the Intune application automatically - https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates

  • IronWiFi CA Certificate - certificate of the CA signing the CSR requests. This can be downloaded from this link

  • Trusted IronWiFi Server Certificate - server certificate signed by a trusted CA. This file can be downloaded from this link
  • Comodo CA Certificate - certificate of the CA that signed our RADIUS server certificates. This can be downloaded from this link

!Note! Your users must exist in the IronWiFi console or the SCEP connector's User Auto-Creation option must be enabled for this to work

  1. Sign in to the IronWiFi Management Console and create a SCEP connector - click on Users -> Connectors -> New Connector

    Screenshot 2023-03-23 12.00.18 PM

Screenshot 2023-03-23 12.00.46 PM

2. Sign in to the Microsoft Intune management console

Screenshot 2023-03-23 9.14.05 AM

3. Navigate to Devices > Configuration Profiles

Screenshot 2023-03-23 9.19.19 AM

 4. Click Create Policy and choose the option create a new Trusted Certificate profile with the following configuration options:

  • Certificate file - ironwifi.crt (This can be downloaded from this link)
  • Destination store - Computer certificate store - Root

    Screenshot 2023-03-23 12.15.11 PM-1
    Screenshot 2023-03-23 12.22.43 PM

 

5. Create another Policy, select profile type Trusted Certificate and use the following configuration options:

  • Certificate file - ironwifi_trusted.crt  (This file can be downloaded from this link)
  • Destination store - Computer certificate store - Root

6. Create a new SCEP certificate profile with the following configuration options:

Screenshot 2023-03-23 12.27.12 PM

  • Profile Type - SCEP Certificate
  • Certificate type - User
  • Subject name format - CN={{SerialNumber}},O={{owner_id}},L={{region}}
  • Subject alternative name - Email address = {{UserPrincipalName}}
  • Certificate validity period - 180 Days
  • Key storage provider (KSP) - Enroll to Software KSP
  • Key usage - Key encipherment, Digital signature
  • Key size (bits) - 1024
  • Hash algorithm - SHA-1, SHA-2
  • Root Certificate - Your trusted certificate profile created in the fourth step
  • Extended key usage -
Name Object Identifier Predefined values
Client authentication 1.3.6.1.5.5.7.3.2 Client Authentication
  • Renewal threshold (%) - 50
  • SCEP Server URL - https://{{region}}.ironwifi.com/api/{{owner_id}}/certificates/scep

    Screenshot 2023-03-23 10.15.47 AM
    Screenshot 2023-03-23 10.16.19 AM
    Screenshot 2023-03-23 10.16.52 AM

 

7. Create a new Wi-Fi profile with the following configuration options:

Screenshot 2023-03-23 10.25.44 AM

  • Profile Type - Wi-Fi
  • Connect to more preferred network if available - No
  • Wi-Fi type - Enterprise
  • Wi-Fi name - Your SSID
  • Connection name - Your connection name
  • Connect automatically when in range - Yes
  • Connect to this network, even when it is not broadcasting its SSID - Yes
  • Metered Connection Limit - Unrestricted
  • Force Wi-Fi profile to be compliant with the Federal Information Processing Standard (FIPS) - No
  • Company proxy settings - none
  • Single sign-on (SSO) - Disable
  • EAP type - EAP - TLS
  • Certificate server names - radius.ironwifi.com
  • Root certificates for server validation - The trusted certificate created in the fifth step
  • Authentication method - SCEP certificate
  • Client certificate for client authentication (identity certificate) - Your SCEP certificate profile created in the sixth step

Screenshot 2023-03-23 10.37.51 AM

35.189.111.2 (25)

You should now see 4 configuration profiles under Devices in your Microsoft Endpoint Manager admin center

Screenshot 2023-03-23 1.13.30 PM