Leave a comment

10 Comments

  1. Jon

     /  September 17, 2023

    What is the reason one would choose SCEP over PKCS today?

    Reply
    • SCEP is required if you are deploying devices in kiosk mode where there is not primary or assigned users. Other than that, PKCS works in pretty much every other scenario to my knowledge.

      Reply
      • Grimster

         /  February 2, 2024

        This has traditionally been the response regarding user-less devices, more recently Microsoft documentation is starting to indicate otherwise: https://learn.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure

        Select a type:
        User certificates can contain both user and device attributes in the subject and subject alternative name (SAN) of the certificate.
        Device certificates can only contain device attributes in the subject and SAN of the certificate. Use Device for scenarios such as user-less devices, like kiosks or other shared devices.

        This selection affects the Subject name format.

      • Good to know. Thanks!

  2. Phil L

     /  November 3, 2023

    This is a great article! PKCS worked like a champ as usual. Interesting scenario that I’m seeing. On some systems, multiple users are logging in and the first user is successful in receiving the certificate, the second user is showing an error and the user is then unable to login to wi-fi. Anything I should be looking for? I actually see the certificate issued on the server.

    Reply
    • Thanks! I have no idea why a second user would have issues receiving a certificate. That’s odd, for sure. If you are seeing the certificate issued on the CA, then I suspect it’s an Intune issue. What, specifically, that would be I don’t know. Do the event logs on the endpoint indicate anything?

      Reply
  3. Seb

     /  January 31, 2025

    Very nice article! One question concerning AOVPN and certificates with TPM – this is only possible with SCEP and not with PKCS i suppose? We are evaluating EntraID-only joined devices with our OnPrem AO-VPN solution and for security reasons we have to deploy certificates with TPM – or is there a similiar security with PKCS?

    Reply
    • No, you can restrict certificate enrollment to TPM using PKCS as well. The only difference between PKCS and SCEP is that the private key is created on the connector server and imported on the endpoint with PKCS, whereas the private key is created on the endpoint in TPM with SCEP.

      Reply
      • Seb

         /  January 31, 2025

        That sounds very interesting and promising, thanks a lot! So i suppose the keysize should be 2048 (and not 4096)? And if the keysize is 2048 it will be automatically used with TPM i suppose?

      • Correct. 2048 bit is commonly recommended for end-entity certificates anyway.

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading