Introduction

The Keyfactor implementation of the Simple Certificate Enrollment Protocol (SCEP) can be used wherever a SCEP server is required. It follows the SCEP protocol as defined in draft-nourse-scep-23 (see https://tools.ietf.org/id/draft-nourse-scep-23.txt), with an additional Intune-gated mode.

In Intune-gated mode, the Keyfactor SCEP server validates each enrollment request against the customer’s Microsoft Intune instance using Microsoft APIs. Intune is a cloud-based service for managing applications, enforcing policies, and securing devices in both corporate and bring-your-own-device (BYOD) scenarios. Keyfactor SCEP is commonly integrated with Intune for mobile device management (MDM).

For more information, see the Microsoft documentation:

https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune

https://docs.microsoft.com/en-us/mem/intune/protect/certificate-authority-add-scep-overview

https://docs.microsoft.com/en-us/mem/intune/protect/scep-libraries-apis

The SCEP protocol allows devices to enroll for certificates using a URL and shared secret to communicate with a PKI. The Keyfactor SCEP role runs under Microsoft IIS and requires at least one Microsoft CA as a back-end certificate authority. Although it can be installed alongside Microsoft NDES, NDES is not required. The Keyfactor SCEP server has no dependency on NDES.

Supported Operations

The Keyfactor SCEP implementation supports a subset of SCEP message types:

PKCSReq (initial enrollment only)
GetCACert
GetCACaps

Was this page helpful? Provide Feedback

On this page: