Skip to main content
This Library Item is available for Apple and Windows devices
The Simple Certificate Enrollment Protocol (SCEP) profile lets you securely issue certificates to your devices from a SCEP server and Certificate Authority (CA). You can use these certificates for services like 802.1x, VPN, and authentication. Iru’s SCEP Profile feature automatically distributes and re-distributes certificates to Apple and Windows devices. Certificates are delivered at the machine level, not per user.
You can only use static challenges with the SCEP Library Item.

Create a SCEP Profile Library Item

Log in to your Iru tenant before you start. To add this Library Item to your Iru Endpoint Library, follow the steps in the Library Overview article.
1

Navigate to Library

Navigate to the Library and select Add Library Item.
2

Select SCEP

Search for and select SCEP.
3

Name the Library Item

Give your SCEP Library Item a descriptive name.
4

Select Platforms

Choose which platforms should get the profile under Install on.
5

Select Blueprints

Pick the Blueprints you want to use.
6

Input SCEP Server URL

Enter the base URL for your SCEP server.
7

Configure Display Settings

Optionally, add a display Name, Challenge, and Fingerprint.
8

Configure Subject Settings

Set the Subject (optional) and Subject Alternative Name Type.
9

Configure Key Settings

Set your Key Size and Key Usage.
10

Configure Additional Settings

Optionally, add retry, access, export, expiration, and redistribution settings.

General Settings

  • URL The base URL for your SCEP server (like scep.example.org).
  • Name (optional) A label to distinguish this CA when you use multiple certificates.
  • Challenge A pre-shared secret string for automatic enrollment.
  • Fingerprint The certificate authority fingerprint as a hex string.

Subject Configuration

  • Subject Distinguished name in X.500 format. You can use global variables like:
    • CN=$SERIAL_NUMBER
  • Subject Alternative Names (SAN) Add alternative identifiers, including global variables, like:
    • RFC 822 Name = $DEVICE_NAME

Key Settings

  • Key size Pick your key size (1024, 2048, or 4096 bits).
  • Key usage Options:
    • Signing
    • Encryption
    • Both signing and encryption

Additional Options

  • Retries How many times to retry if the server sends a PENDING response.
  • Automatic profile redistribution When enabled, Iru checks certificate expiration dates and automatically re-issues new certificates when they’re about to expire.
Renewal only starts when the certificate is within the redistribution window, which must be at least 5 days before expiration. This prevents certificates from being renewed too early, like right after they’re issued.
  • When renewing, Iru appends the $PROFILE_UUID variable to the Subject.

Platform-Specific Options

Apple-Specific Options

  • Retry delay How long to wait (in seconds) between retries.
  • Allow all apps to access the private key Gives all apps access to the private key in the keychain.
  • Prevent private key extraction Prevents exporting the private key from the keychain (macOS 10.15+). You should enable this for better security.
  • Certificate expiration notification Sends notifications when certificates are about to expire on macOS.
When Automatic profile redistribution is enabled for Apple devices, specify a user global variable in the Subject Alternative Names (SAN) if user information is required in the certificate. This is necessary because the Wi-Fi Library Item ID is added to the Common Name in the certificate’s subject to track certificate renewal.

Important Considerations

Profile Redistribution

Automatic profile redistribution renews certificates before they expire, so you avoid downtime and keep authentication working smoothly.

Preventing Key Extraction

Enabling Prevent the private key data from being extracted prevents end users from exporting the private key. You should enable this for better security.

Best Practices

1

Plan certificate lifecycle

Set certificate validity periods and renewal windows to keep services running without interruption.
2

Secure challenge secrets

Use strong, unique challenge secrets for each SCEP configuration to prevent unauthorized enrollment.
3

Monitor certificate status

Check certificate enrollment and renewal status regularly so you can catch and fix issues quickly.
4

Test configurations

Test SCEP configurations on a few devices first - this helps you catch issues before they affect your whole fleet.

Troubleshooting

Possible causes:
  • Incorrect SCEP server URL
  • Invalid challenge secret
  • Network connectivity issues
  • Certificate authority fingerprint mismatch Solutions:
  • Verify SCEP server URL and accessibility
  • Confirm challenge secret matches server configuration
  • Check network connectivity and firewall rules
  • Validate certificate authority fingerprint
Possible causes:
  • Renewal window too short
  • SCEP server not responding
  • Certificate validity period conflicts Solutions:
  • Ensure renewal window is at least 5 days before expiration
  • Check SCEP server availability and logs
  • Verify certificate validity period configuration
Possible causes:
  • Key protection settings too restrictive
  • Keychain access permissions
  • Application-specific key access requirements Solutions:
  • Review key protection and access settings
  • Check keychain permissions for applications
  • Configure appropriate key access for required applications

Security Considerations

Challenge Security

You should use strong, unique challenge secrets and rotate them regularly to prevent unauthorized enrollment.

Key Protection

Enable private key extraction prevention to keep your certificates secure.

Certificate Monitoring

Monitor certificate enrollment and renewal activities to spot security issues.

Access Control

Set key access permissions based on what your applications need.