SCEP certificate configuration

The goal of this procedure is to configure a DigiCert® Trust Lifecycle Manager certificate profile that will work in conjunction with an Intune device configuration profile.

Table 1. Available certificate templates

Trust Lifecycle Manager base template	Seat type
`Device Authentication for Microsoft Intune (SCEP)`	Device
`User Client Authentication for Microsoft Intune (SCEP)`	User

In both cases, the DigiCert ONE certificate profile creation wizard defaults to SCEP enrollment method and Azure Auth authentication method. For Azure Auth settings, use the values obtained in Azure Active Directory App registration for:

Application ID
Application Key
Tenant Name

Once the certificate profile is created, you will configure a corresponding Intune Device configuration profile with the required values, settings, and the DigiCert SCEP URL for the specific certificate profile.

Note

The format of the SCEP URL that is consumed by the targeted device platforms varies.

The following table describes the form of the SCEP URL to be used by Intune supported device platforms:

Table 2. SCEP URL format

Device platform	DigiCert SCEP service endpoint URL format	Example
iOS/iPadOS Android macOS	Use the default SCEP service endpoint as displayed in the DigiCert Certificate Profile https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin/pkiclient.exe	https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin/pkiclient.exe
Windows (User Store)	HTTPS required Do not include "/pkiclient.exe" in URL https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin	https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin
Windows (Computer Store)	HTTPS supported but not required Do not include "/pkiclient.exe" in URL https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin	http://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin or https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

Device platform

DigiCert SCEP service endpoint URL format

Example

iOS/iPadOS

Android

macOS

Use the default SCEP service endpoint as displayed in the DigiCert Certificate Profile

https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin/pkiclient.exe

https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin/pkiclient.exe

Windows (User Store)

HTTPS required

Do not include "/pkiclient.exe" in URL

https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin

https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

Windows (Computer Store)

HTTPS supported but not required
Do not include "/pkiclient.exe" in URL

https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin

http://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

More information specific to the DigiCert® Trust Lifecycle Manager use case can be found in the following sections and should be used in conjunction with the Microsoft documentation: Use SCEP certificate profiles with Microsoft Intune | Microsoft Docs.

The general workflow for creating an Intune Device configuration profile consists of the following sections:

Basics
Configuration settings
Assignments
Applicability Rules (Applies to Windows 10/11 only)

The following sections in this guide focus on the Configuration settings which determine the certificate details in conjunction with the corresponding certificate profile.

For other non-certificate related aspects, please refer to the Microsoft documentation.

In this section:

SCEP certificate configuration

Note

Search results