Skip to main content

SCEP certificate configuration

The goal of this procedure is to configure a DigiCert​​®​​ Trust Lifecycle Manager certificate profile that will work in conjunction with an Intune device configuration profile.

DigiCert certificate profiles

Use the following base templates to create certificate profiles in Trust Lifecycle Manager for issuing Intune authentication certificates via SCEP.

Base template

Seat type

Device Authentication for Microsoft Intune (SCEP)

Device

User Client Authentication for Microsoft Intune (SCEP)

User

  • For these base templates, the profile creation wizard defaults to the SCEP enrollment method and Azure Auth authentication method.

  • In the Authentication method section, select the Microsoft Intune connector for the Intune tenant that will request certificates from Trust Lifecycle Manager via its SCEP service.

  • Once the certificate profile is created in Trust Lifecycle Manager, you will receive a corresponding SCEP Server URL that can be used to issue certificates from that profile via SCEP. You will need this to configure the corresponding device configuration profiles in Intune to get certificates from this DigiCert certificate profile.

SCEP URL formats

The following table describes the format of the SCEP URL to be used by Intune supported device platforms.

Device platform

DigiCert SCEP Server URL format

Example

iOS/iPadOS

Android

macOS

Use the default SCEP service endpoint as displayed in the DigiCert Certificate Profile

https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin/pkiclient.exe

https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin/pkiclient.exe

Windows (User Store)

  • HTTPS required

  • Do not include "/pkiclient.exe" in URL

https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin

https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

Windows (Computer Store)

  • HTTPS supported but not required

  • Do not include "/pkiclient.exe" in URL

https://<HOST>/mpki/api/v1/scep/<UUID>/cgi-bin

http://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

or

https://one.digicert.com/mpki/api/v1/scep/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/cgi-bin

Microsoft Intune device configuration profiles

More information specific to the DigiCert​​®​​ Trust Lifecycle Manager use case can be found in the following sections and should be used in conjunction with the Microsoft documentation: Use SCEP certificate profiles with Microsoft Intune | Microsoft Docs.

The general workflow for creating an Intune device configuration profile consists of the following sections:

  1. Basics

  2. Configuration settings

  3. Assignments

  4. Applicability Rules (Applies to Windows 10/11 only)

The following sections in this guide focus on the Configuration settings which determine the certificate details in conjunction with the corresponding certificate profile. For other non-certificate related aspects, refer to the Microsoft documentation.

In deze sectie: