Skip to main content

SCEP & PKI Integration

Deploy passwordless, certificate-based WiFi authentication using IronWifi's HSM-protected Certificate Authority and SCEP (Simple Certificate Enrollment Protocol) for automatic certificate provisioning to managed devices.

What is SCEP?

Simple Certificate Enrollment Protocol (SCEP) allows devices to automatically request and receive certificates from a Certificate Authority. This enables:

  • Passwordless authentication - No credentials to remember
  • Strong security - Certificate-based mutual authentication
  • Device management - Certificates tied to specific devices
  • Automatic enrollment - MDM integration for deployment

Prerequisites

  • IronWifi account with PKI features
  • Mobile Device Management (MDM) solution (Intune, Jamf, etc.)
  • Devices that support EAP-TLS

IronWifi Certificate Authority

CA Hierarchy

IronWifi uses a three-tier PKI:

  1. Root CA - Offline, HSM-protected
  2. Issuing CA - Online, issues certificates
  3. User/Device Certificates - End-entity certificates

Download CA Certificate

  1. Navigate to Account > Certificates
  2. Download the CA certificate chain
  3. Deploy to clients for trust validation

Setting Up SCEP with Intune

Step 1: Configure SCEP in IronWifi

  1. Navigate to Connectors > SCEP
  2. Note the SCEP URL
  3. Configure certificate template:
    • Validity period
    • Key size
    • Usage (client authentication)

Step 2: Configure Intune SCEP Profile

  1. In Microsoft Endpoint Manager
  2. Navigate to Devices > Configuration profiles
  3. Create profile:
    • Platform: Windows 10, iOS, Android, etc.
    • Profile type: SCEP certificate

Step 3: SCEP Profile Settings

SettingValue
Certificate typeUser
Subject name formatCN={{UserPrincipalName}}
Subject alternative nameEmail={{EmailAddress}}
Certificate validity1 year (recommended)
Key storage providerTPM if available
Key usageDigital signature, Key encipherment
Key size2048 or higher
Hash algorithmSHA-256
Root certificateIronWifi CA certificate
SCEP Server URLsFrom IronWifi Console

Step 4: Configure Trust Profile

Create a trusted certificate profile:

  1. Create new profile > Trusted certificate
  2. Upload IronWifi CA certificate
  3. Deploy to same groups as SCEP profile

Step 5: Configure WiFi Profile

Create WiFi profile for EAP-TLS:

  1. Create profile > Wi-Fi
  2. WiFi type: Enterprise
  3. EAP type: EAP-TLS
  4. Certificate: SCEP certificate
  5. Root certificate: IronWifi CA

Step 6: Deploy Profiles

  1. Assign profiles to user/device groups
  2. Monitor deployment status
  3. Verify certificate enrollment

User Auto-Creation

For SCEP to work with new users:

  1. Navigate to SCEP connector settings
  2. Enable User Auto-Creation
  3. Configure user template:
    • Username from certificate CN
    • Email from certificate SAN
    • Default group assignment
note

Users must exist in IronWifi or auto-creation must be enabled for certificate authentication to succeed.

Setting Up SCEP with Jamf

Step 1: Configure Jamf Pro

  1. Navigate to Settings > PKI Certificates
  2. Add External CA
  3. Select SCEP
  4. Enter IronWifi SCEP URL

Step 2: Create Configuration Profile

  1. Create new Configuration Profile
  2. Add SCEP payload
  3. Configure certificate settings
  4. Add WiFi payload with EAP-TLS
  5. Deploy to devices

Manual Certificate Generation

For individual users:

  1. Navigate to Users > select user
  2. Click Add Certificate
  3. Select distribution method:
    • Download
    • Email to user
    • Email download link
  4. Set validity period
  5. Click Create

Certificate Formats

FormatUse Case
PKCS#12 (.p12/.pfx)Windows, Android
PEMmacOS, Linux
mobileconfigiOS/iPadOS

Certificate Revocation

Manual Revocation

  1. Navigate to user's profile
  2. Find the certificate
  3. Click Revoke
  4. Certificate is immediately invalidated

Automatic Revocation

Certificates can be automatically revoked when:

  • User is deleted
  • User is disabled
  • Certificate expires

RADIUS Configuration

For EAP-TLS authentication:

  1. Ensure your Network has EAP-TLS enabled
  2. Configure access points for WPA-Enterprise
  3. Clients present certificates during 802.1X authentication
  4. RADIUS validates certificate against CA

Troubleshooting

Certificate Enrollment Failed

  • Verify SCEP URL is correct
  • Check network connectivity
  • Verify MDM profile is deployed
  • Review SCEP logs in IronWifi

Authentication Failed

  • Verify certificate is valid (not expired/revoked)
  • Check CA certificate is trusted on client
  • Confirm user exists in IronWifi
  • Review RADIUS logs

Certificate Not Trusted

  • Deploy CA certificate to clients
  • Verify trust chain is complete
  • Check certificate hasn't been revoked

Best Practices

  1. Short validity periods - Easier to manage, more secure
  2. Use MDM - Automate deployment and renewal
  3. Monitor expiration - Set up alerts for expiring certificates
  4. Regular audits - Review issued certificates
  5. Revoke promptly - When users leave or devices are lost