Essai Gratuit
Contact

Knowledge Base

Base de connaissancesSectigo Certificate Manager (SCM)

Configuring Intune and Azure with Sectigo Certificate Manager (SCM)

Mis à jour le 10 février 2025

1. Prerequisites

  • Active Sectigo Certificate Manager (SCM) account
  • Microsoft Azure subscription
  • Microsoft Intune subscription
  • Administrative access to Azure, Intune, and SCM

 
2. Register Application in Azure
2.1 Create Azure Application

  1. Sign in to the Azure portal (https://portal.azure.com)
  2. Navigate to Azure Active Directory > App registrations
  3. Click "New registration"
  4. Enter a name (e.g., "Sectigo Certificate Manager")
  5. Select "Accounts in this organizational directory only" under Supported account types
  6. Click "Register"

 
2.2 Configure API Permissions

      Intune

  1. In the newly created app, go to "API permissions"
  2. Click "Add a permission"
  3. Select "Microsoft Intune API"
  4. Choose "Application permissions"
  5. Select "SCEP challenge validation"
  6. Click "Add permissions"
  7. Click "Grant admin consent for [Your Organization]"
Microsoft Graph
  1. In the newly created app, go to "API permissions"
  2. Click "Add a permission"
  3. Select "Microsoft Graph API"
  4. Choose "Application permissions"
  5. Select "Application.Read.All"
  6. Click "Add permissions"
  7. Click "Grant admin consent for [Your Organization]"

      
2.3 Generate Client Secret

  1. Go to "Certificates & secrets"
  2. Click "New client secret"
  3. Enter a description and select an expiration period
  4. Click "Add"
  5. Copy and securely store the generated secret value

 
2.4 Note Important Information
Record the following information:

  • Application (client) ID
  • Directory (tenant) ID
  • Client Secret

 
3. Configure Sectigo Certificate Manager (SCM)
3.1 Add Azure Account in SCM

  1. Log in to SCM admin console
  2. Navigate to Integrations > Azure Accounts
  3. Click "Add"
  4. Enter a name for the account
  5. Input the Application ID, Directory ID, and Client Secret from Azure
  6. Click "Test Connection" to verify
  7. Click "Save"

 
3.2 Request RA Certificate

  1. Create SCEP RA Certificate Profile.
  2. Support will provide you with a CSR to request an SCEP RA Certificate  ( Client or Device)
  3. Using the CSR In SCM request SCEP RA Certificates using the profile that was created
  4. Please ensure certificate profile is delegated correctly
  5. Choose the certificate profile
  6. Enter a common name for the RA certificate, if necessary
  7. Click "Submit"
  8. Provide the certificate to Sectigo Support to be added at the back to encrypt SCEP protocol between SCM and Intune

 
3.3 Configure SCEP Endpoint

  1. Navigate to Enrollment > SCEP
  2. Click "Add"
  3. Select "Intune SCEP" as the endpoint type
  4. Enter a name for the endpoint
  5. Select the organization and department
  6. Choose the certificate profile and term
  7. Select the RA Certificate created earlier
  8. Choose the Azure Account created in step 3.1
  9. Enter a unique URI Extension
  10. Click "Save"

 
4. Configure Microsoft Intune
4.1 Create Trusted Certificate Profile

  1. Sign in to Microsoft Endpoint Manager (https://endpoint.microsoft.com)
  2. Go to Devices > Configuration profiles
  3. Click "Create profile"
  4. Select platform (e.g., Windows 10 and later)
  5. Choose "Templates" > "Trusted certificate"
  6. Click "Create"
  7. Enter a name and description
  8. Upload the root CA certificate provided by Sectigo
  9. Click "Next" and assign to appropriate groups
  10. Review and create the profile

 
4.2 Create SCEP Certificate Profile

  1. In Endpoint Manager, go to Devices > Configuration profiles
  2. Click "Create profile"
  3. Select platform (e.g., Windows 10 and later)
  4. Choose "Templates" > "SCEP certificate"
  5. Click "Create"
  6. Enter a name and description
Configure the SCEP settings:
  1. Certificate type: User or Device
  2. Subject name format: CN={{UserName}} or CN={{DeviceName}}
  3. Subject alternative name: User principal name (UPN)
  4. Certificate validity period: As per your policy
  5. Key usage: Digital signature and Key encipherment
  6. Key size: 2048
  7. Hash algorithm: SHA-2
  8. Root Certificate: Select the trusted certificate profile created earlier
  9. For SCEP Server URLs, enter the URL from SCM SCEP endpoint
  10. Format: http://[SCM_IP]/customer/[customer_id]/iscep/default/[org_code]/smime/pkiclient.exe
  11. Click "Next" and assign to appropriate groups
  12. Review and create the profile

 
5. Verify Configuration

  1. Enroll a test device in Intune
  2. Monitor the device in Intune for successful certificate deployment
  3. Check SCM for successful certificate issuance

 
Troubleshooting
       If certificate enrollment fails, check the following:

  • Azure application permissions are correctly set
  • SCM Azure Account connection is successful
  • SCEP endpoint URL is correctly entered in Intune
  • RA Certificate in SCM is valid and not expired
  • Review Intune device logs for specific error messages
  • Consult Sectigo support if issues persist

 
Additional Resources

Besoin d'aide ?

Besoin d'aide pour effectuer un achat ? Contactez-nous dès aujourd'hui pour que votre certificat soit délivré immédiatement.

Chat en direct

Cliquez sur le bouton ci-dessous ou cliquez sur « Chat avec un expert » pour commencer à chatter avec nous dès maintenant !

Commencer le chat

Appelez-nous aujourd'hui

États-Unis
+1 888 266 6361
France
+33 3 66 72 95 95
Italie
+39 02 4792 1708
Espagne
+34 900 838 451
Allemagne
+49 800 1002328
International
+1 914 732 844

Ressources