To issue certificates with SCEP, you must create one or more SCEP certificate profiles in Microsoft Intune. A SCEP certificate profile defines various properties of a certificate issued to users or devices over SCEP, including the subject name format and subject alternative name extensions.

When configuring a SCEP certificate profile, you must provide the URL to the CEG Intune-SCEP Enrollment Service in Certificate Enrollment Gateway. Some other settings may also require specific values to work with work with Windows Hello for Business.

To configure a SCEP certificate profile 

  1. Log in to the Microsoft Azure portal.
  2. Log in to Intune.
  3. Click Devices.
  4. Under Policy, click Device configuration.
  5. Click Create profile.
    The Create profile page appears.
  6. For Name, enter a unique name to identify the SCEP certificate profile.
  7. For Description, enter a description for the SCEP certificate profile.
  8. For Platform, select a device platform that will use the trusted certificate. To work with Windows Hello for Business, select Windows 10 and later.
  9. For Profile type, select SCEP certificate.
  10. In the SCEP Certificate pane, provide the information that will be included in the CSR (certificate signing request): 
    1. For Certificate type, select the type of certificate that will be issued.
    2. For Subject name format, enter the subject name format. To work with Windows Hello for Business, enter CN={{UserPrincipalName}}.
    3. For Subject alternative name, select the subject alternative name extensions that will be included in the CSR.

    4. For Certificate validity period, select a lifetime for the certificate—for example, 1 year.
      The validity period must not exceed the maximum validity period that is permitted by the Managed CA. For Entrust PKI as a Service, the maximum validity period is 3 years. For an on-premises Security Manager CA, see the Security Manager documentation for information about viewing or configuring the validity period.

      For iOS devices, the validity period will be defined by the Managed CA. iOS devices will ignore the validity period defined in the SCEP certificate profile. For Entrust PKI as a Service, the validity period for certificates issued to iOS devices will be 3 years.
    5. For Key storage provider (KSP), select a key storage provider. To work with Windows Hello for Business, select Enroll to Windows Hello for Business, otherwise fail.

    6. For Key usage, select a key usage for the certificate.
      Certificate Enrollment Gateway will ignore the key usage value set in the SCEP certificate profile. The certificate profile defined in CA Gateway controls the key usage of the certificate.

      The profile ID of the certificate profile is part of the SCEP Server URL. Ensure that the key usage defined in the SCEP certificate profile is compatible with the certificate profile defined in CA Gateway.
    7. For Key size (bits), select the size of the key in bits—for example, 2048.
    8. For Root Certificate, select a trusted root certificate profile that you created previously.
    9. For Hash Algorithm, select SHA-2. Certificate Enrollment Gateway supports only SHA-2 as the hash algorithm.
    10. For Extended key usage, add values for the certificate's intended purpose.
      • In most cases, the certificate requires Client Authentication so that the user or device can authenticate to a server.
      • To work with Windows Hello for Business, add Smart Card Logon (OID 1.3.6.1.4.1.311.20.2.2).
    11. For Renewal threshold (%), enter the percentage of the certificate lifetime that remains before the certificate should be renewed.

    12. For SCEP Server URLs, enter one of the following Certificate Enrollment Gateway URLs:

      The following Intune-SCEP enrollment URL requires a trailing forward slash (/). To support macOS devices, the URL must start with http instead of https.
      https://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/
      http://<CEG-server>/scep/<tenant-ID>/<CA-ID>/<profile-ID>/intune/

      See below for a description of each field. 

      For example:

      https://cegserver.example.com/scep/tenant1/example-ca1/intune-digital-signature/intune/
      http://cegserver.example.com/scep/tenant1/example-ca1/intune-digital-signature/intune/
    13. Enter values for any other settings as required.
  11. Click OK.
  12. Click Create to create the SCEP certificate profile.
  13. Click Assignments.
  14. For Include, select the Azure Active Directory groups you want to include with the certificate profile.
  15. For Exclude, select the Azure Active Directory groups you want to exclude from the certificate profile.
  16. Click Save.

<CEG-server>

The hostname or IP address of the Certificate Enrollment Gateway server.

<tenant-ID>

The unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.

<CA-ID>

The CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the SCEP client.

<profile-ID> 

The profile ID defined in CA Gateway that defines the certificate type issued to the SCEP client. For Entrust PKI as a Service, the profile ID is one of the following:

  • intune-digital-signature-key-encipherment
  • intune-digital-signature
  • intune-key-encipherment
  • intune-non-repudiation