HomeGuidesAPI Reference
Get Started

SCEP (certificates)

Simple Certificate Enrollment Protocol (SCEP) and Public Key Infrastructure (PKI) related operations.

Suggest Edits

Simple Certificate Enrollment Protocol (SCEP) allows your devices to easily enroll for a certificate using our SCEP endpoint and perform other Public Key Infrastructure (PKI) related operations. We currently issue certificates with a validity period of 5 years so that you don't have to worry about renewing your certificate every year.

Device enrollment / Client certificate generation

  1. Make sure you have our Advanced RADIUS add-on enabled for your account. Put the RADIUS server certificate on the Device (as a trusted certificate in the root folder) you want to enroll and to be able to talk to our RADIUS servers. This generally gets pushed by your SCEP enrollment / MDM tool such as Apple configurator, Intune, JAMF etc.
  2. Download the CA certificate from the SCEP page and use it in your SCEP enrollment / MDM tool to generate your CSR requests. Also put this CA certificate on the Device (as a trusted certificate in the root folder) you want to enroll. This also generally gets pushed by your MDM tool.
  3. In your SCEP enrollment / MDM tool, you will need a SCEP URL and Challenge password. Go to the Foxpass Console's SCEP page to copy the unique SCEP endpoint and Challenge password for your account and use this information in your SCEP enrollment / MDM tool to generate the client CSR requests. Any CSR requests without the valid Challenge password will be rejected. For all successful requests, a new client certificate will be generated and pushed to your Device and also made available in the Foxpass Console's SCEP page for record purposes.

Certificate listing and revocation

The Foxpass Console's SCEP page lists all your issued certificates along with their serial, information, status, issue, and expiry date. You can revoke a certificate by selecting a valid reason. Make sure you send 'TLS-Client-Cert-Serial' in all your RADIUS requests so that any revoked certificates with the accompanied Cert serial are invalidated.

Apple devices

See: Apple Configurator

and

JAMF

Windows devices / Intune settings

Foxpass supports integrating with Intune.

See Intune

Updated over 1 year ago