Keyfactor SCEP Installation and Configuration Guide

The Keyfactor implementation of the Simple Certificate Enrollment Protocol (SCEP) can be used wherever a SCEP server would be used (see https://datatracker.ietf.org/doc/id/draft-nourse-scep-23.txt for more information). Keyfactor’s SCEP server implementation can function in an Intune-gated mode, where the SCEP server will validate every incoming enrollment against the customer’s Intune instance, using a Microsoft-proprietary API and protocol. Microsoft Intune is a cloud-based service that supports policies to control applications and help keep employees productive and secure in either a corporate or bring-your-own-device (BYOD) scenario. Keyfactor customers routinely choose to utilize it with Microsoft Intune for mobile device management (MDM).

More information about Intune, including a brief overview in Microsoft’s architectural document, is available on the Microsoft documentation site at:

The SCEP protocol allows devices to enroll for a certificate by using a URL and a shared secret to communicate with a PKI. The role runs under Microsoft IIS and requires at least one Microsoft CA on the back end. Although the Keyfactor SCEP implementation and the Microsoft implementation of SCEP (NDES) can be collocated on the same server, there is no need to install NDES to support the Keyfactor SCEP install. The Keyfactor SCEP server has no dependence on Microsoft's NDES.