SCEP Payload

Owned by Martin Gudme Søndergaard
Oct 26, 2022
2 min read

Description

This payload can be used to enroll a certificate using the Simple Certificate Enrollment Protocol

In order to use this, it is assumed that you have a SCEP server that can distribute a certificate for the devices which this payload is deployed to.

Configuration

MANDATORYCONFIGURATIONDESCRIPTIONEXAMPLE
YesServer URLThe base URL for the SCEP server.http://scep.example.com:1640/pkiclient.exe

Name

The name of the instance: CA-IDENT

Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required..

My Certificate
YesSubject

Representation of an X.500 name

Optional. The representation of an X.500 name represented as an array of OID and value.
For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ ["1.2.5.3", "bar" ] ] ]
OIDs can be represented as dotted numbers, with shortcuts for the country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN)..

O=CapaSystems A/S, OU=Test

Challenge

Used as the pre-shared secret for automatic enrollment.

Optional. A pre-shared secret.


YesKey Size

Key size in bits.
Optional. The key size in bits, either 1024 or 2048.


2048
YesKey Type

Optional. Currently always "RSA"..

RSA

Use for digital signature and key enciphermentOptional. A bitmask indicating the use of the key. 1 is signing, 4 is encryption, 5 is both signing and encryption. Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time.

Subject Alternate Name Type

The type of a subject alternate name

The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values.



FingerprintHEX string to be used as a fingerprint.


ONLY FOR IOS 12 OR NEWER

The number of times the device should retryDefaults to 3

The number of seconds to wait between subsequent retriesThe first retry is attempted without this delay. Defaults to 10.




If set, all apps have access to the private key

The default is not set



If not set, the private key cannot be exported from the keychain

Default is set



 Read More