Intune SCEP with Joy – Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment…

0
Unique SCEP cert deployement using unique templates - Intune PKI Made Easy With Joy

There may be a scenario where you require to use different templates to deploy different SCEP certificates to your Intune managed endpoints. For example, you may have a requirement where

  • SCEP certificate deployed to group A to use template A and that for group B to use template B.
  • Unique SCEP certificate to be deployed for the different profiles – Email, VPN, and Wi-Fi.

The above has been always a supported scenario and is in use in many enterprise environments.

Understanding the Logic

The primary use case of a SCEP certificate is to serve client authentication, determined by the Extended Key Usage (EKU) parameter.

That is why the SCEP certificate template configured in CA must have Client Auth added to its EKU.

The primary use-case for a SCEP certificate is to aid cert based authentication which is determined by the Extended Key Usage (EKU) of the certificate. Requires to have Client Authentication EKU.
The primary use-case for a SCEP certificate is to aid cert based authentication which is determined by the Extended Key Usage (EKU) of the certificate. Requires to have Client Auth EKU.

You define the same while configuring the SCEP certificate profile from Intune.

Extended Key Usage value needs to be specified while configuring SCEP profile in Intune
Extended Key Usage value needs to be specified while configuring SCEP profile in Intune

Note: Selecting EKU as Any Purpose suffices for the obtained certificate to be used for auth purpose, as long as the certificate template used for creating the certificate has Client Authentication selected in its EKU.

However, the template that NDES (SCEP service) will use to make the on-behalf certificate request to the CA is determined based on the value of the Key Usage parameter of the Certificate Signing Request (CSR) that the device sends to the SCEP service, upon receiving the instructions from Intune as part of the SCEP payload.

Value of the Key Usage parameter helps SCEP service to determine the template to use to make the on-behalf cert request to CA
Value of the Key Usage parameter helps SCEP service to determine the template to use to make the on-behalf cert request to CA

When SCEP service receives the certificate request from a device, it inspects the CSR to get the value for Key Usage parameter and based on it determines the template to be used for making the certificate request to CA on-behalf, as defined in the reg_keys under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP.

SCEP service retrieves the Key Usage value from the CSR and uses it to determine the template to use as defined in the MSCEP registry.
SCEP service retrieves the Key Usage value from the CSR and uses it to determine the template to use as defined in the MSCEP registry.

While configuring the SCEP certificate profile in Intune, based on the selection of Key Usage

  • Digital signature (=SignatureTemplate in MSCEP reg)
  • Key encipherment (=EncryptionTemplate in MSCEP reg)
  • Digital signature and Key encipherment (=GeneralPurposeTemplate in MSCEP reg)

you can choose to configure SCEP certificate deployment for specific purposes using up to 3 unique certificate templates configured in your CA. 

Proof Of Concept

I have configured 3 unique SCEP profiles in my test tenant and have made 3 unique assignment as can be seen from the snaps below.

  • Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment... 1
  • Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment... 2
  • Intune SCEP with Joy - Learn how to use unique certificate templates to deploy different SCEP certificates within the same environment... 3

NOTE: There is an important validation step of Effective Group Association calculation carried out in the backend (Azure AD functionality) when you make active assignment of a SCEP profile from Intune. This checks and determines the association of the SCEP profile with the Trusted Certificate profile (for Root CA cert or Issuing CA cert based on your PKI infrastructure) defined within the profile. If this check fails to determine the association, the deployment fails at the initial stages and since this step is performed in the backend, you also do not get any logs for the same.

It is for this reason that Microsoft recommends deploying the Trusted Certificate profile which is linked with the SCEP profile and the SCEP Certificate profile to the same group. Ref Microsoft article here.

SCEP cert profile deployment should match the associated Trusted Cert profile deployment, else might fail.
MS recommends SCEP cert profile deployment should match the associated Trusted Cert profile deployment, else might fail.

However, in our case, this would defy the purpose if we have to deploy to the same group.

Our aim is to deliver unique SCEP certificates to unique deployment groups using unique templates from the CA.

My SCEP lab is based on multi-tier PKI infrastructure where I have a Root CA and a Sub CA and the Sub CA is the Issuing CA for my NDES box.

What I did ?

I deployed the Trusted Cert profile for the Issuing CA (which is essentially defined as the Root Certificate within all my SCEP profiles) to All Devices (since my deployment is based on device groups) and then made a unique assignment for each of the 3 SCEP profiles.

Intune SCEP Certificate Workflow Analysis – Check this post if you have not read my previous article on SCEP which explains the above.

This satisfies the Effective Group Association calculation and as you can see, all the 3 profiles have the success status as shown below.

Checking the Issued Certificates on the CA, you will see that the 3 certs as issued are generated using the unique templates as intended.

SCEP service made the certificate requests to the CA using the unique templates as intended, defined by the Key Usage parameter of the CSR.
SCEP service made the certificate requests to the CA using the unique templates as intended, defined by the Key Usage parameter of the CSR.

Above, I showed how you can have 3 unique templates configured in CA to serve for specific use-cases scenarios.

Similarly, you can also use a single template in CA to serve both Device-based and User-based SCEP certificates to the endpoints – essentially because we configure the template to provide details (CN and SAN) on request.

Well, that was all for today. Hope this would help you in planning SCEP certificate deployments in your environment if you ever face a similar requirement.

Stay safe!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.