/
SCEP Payload

SCEP Payload

Oct 26, 2022

Description

This payload can be used to enroll a certificate using the Simple Certificate Enrollment Protocol

 

In order to use this, it is assumed that you have a SCEP server that can distribute a certificate for the devices which this payload is deployed to.

Configuration

MANDATORY

CONFIGURATION

DESCRIPTION

EXAMPLE

MANDATORY

CONFIGURATION

DESCRIPTION

EXAMPLE

Yes

Server URL

The base URL for the SCEP server.

http://scep.example.com:1640/pkiclient.exe

 

Name

The name of the instance: CA-IDENT

Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required..

My Certificate

Yes

Subject

Representation of an X.500 name

Optional. The representation of an X.500 name represented as an array of OID and value.
For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ ["1.2.5.3", "bar" ] ] ]
OIDs can be represented as dotted numbers, with shortcuts for the country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN)..

O=CapaSystems A/S, OU=Test

 

Challenge

Used as the pre-shared secret for automatic enrollment.

Optional. A pre-shared secret.

 

Yes

Key Size

Key size in bits.
Optional. The key size in bits, either 1024 or 2048.

 

2048

Yes

Key Type

Optional. Currently always "RSA"..

RSA

 

Use for digital signature and key encipherment

Optional. A bitmask indicating the use of the key. 1 is signing, 4 is encryption, 5 is both signing and encryption. Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time.

 

 

Subject Alternate Name Type

The type of a subject alternate name

The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values.

 

 

Fingerprint

HEX string to be used as a fingerprint.

 

 

 

ONLY FOR IOS 12 OR NEWER

 

 

The number of times the device should retry

Defaults to 3

 

 

The number of seconds to wait between subsequent retries

The first retry is attempted without this delay. Defaults to 10.

 

 

 

If set, all apps have access to the private key

The default is not set

 

 

If not set, the private key cannot be exported from the keychain

Default is set

 

 

 Read More