SCEPman
This page describes the controls related to the connectivity to the SCEPman PKI as a service.
SCEPman Identity & Keys
Common Name
The SCEPman CA root certificate’s subject name displayed in the UI. This is the identity that will appear in issued certificates (e.g., Trusted Root CA).
Organization
Organisation name used in the CA’s distinguished name.
Use your own Key Vault
This control allows you to bring an existing Azure Key Vault to store CA keys and secrets securely rather than letting SCEPman generate/manage them.
Tenant Connection
This controls how SCEPman connects to your Azure/Intune tenant (required when using SCEPman with Intune):
No tenant OAuth connection configured yet.
Connects SCEPman with Entra ID via a delegated admin consent.
Allows customising your own Entra ID app registration for SCEPman permissions.
Settings
These settings correspond to configurable SCEPman environment variables that determine how SCEPman behaves.
Remote Debug
Enables remote debug logging for support/troubleshooting. Learn more.
Default Extended Key Usage
EKU that certificates issued via Certificate Master should include (e.g., ServerAuthentication). This usually influences what purposes issued certs can be used for (e.g., TLS).
Validity Period Days
Default maximum lifetime of certificates issued via Certificate Master (global maximum
can be configured separately). Learn more.
CRL
Enables CRL support for your SCEPman instance. Learn more.
Intune Validation
Enables Intune-specific OCSP behaviour in SCEPman (multiple related features).
Validity Period Days
This setting further reduces the global ValidityPeriodDays for the Intune endpoint.
Compliance Check
When SCEPman receives an OCSP request, SCEPman can optionally check the device compliance state. Learn more.
Compliance Grace Period Minutes
This setting defines a grace period in minutes during which the device is considered compliant, even if it is not yet. Learn more.
Device Directory
Determines where to look up devices on OCSP requests for device certificates. Learn more.
Jamf Validation
When enabled, SCEPman will expose an endpoint (/jamf) that allows Jamf Pro-managed devices to enrol certificates that support automatic revocation. Learn more.
Static Validation
Enables the /static SCEP endpoint for non-Intune/Jamf Pro MDM systems. If ruthermore allows issuing certificates to systems that don’t have MDM integration by using a static challenge password. Learn more.
Default Extended Key Usage
OIDs of the extended key usages (EKUs) that are added by default to the certificate if the Jamf Pro or Static endpoint is used. Learn more.
Request Password
A challenge password that Jamf Pro or other MDM systems must include in every SCEP request to acquire a certificate. Learn more.
Client ID and Client Secret
ClientID and ClientSecret are required to establish a connection to the Jamf Pro backend via its API and are an alternative to APIUsername and APIPassword. Learn more.
Allow Renewals
This allows using the RenewalReq operation on this SCEP endpoint. Learn more.
Static-AAD Validation
If enabled, SCEPman will expose an endpoint (/static/aad) through which clients managed via MDM systems other than Intune/Jamf Pro can request certificates that are bound to an Entra ID user object, allowing for automatic revocation of such certificates based on the state/presence of the corresponding Entra ID user object. It requires your MDM to support the sync of user objects from Entra ID. Learn more.
DC Validation
When enabled, SCEPman will expose an endpoint (/dc) to issue Domain Controller certificates (e.g., Kerberos authentication certs) with a challenge password. Learn more.
Last updated
Was this helpful?