For SCEP and Intune-SCEP enrollment, you must add the following certificate types to the Security Manager CA: signing, encryption, dual usage (signing and encryption), non-repudiation.

To add SCEP certificate types to Security Manager

  1. Log in to Security Manager Administration.
  2. Export the certificate specifications to a file by selecting File > Certificate Specifications > Export.
  3. Open the certificate specifications file in a text editor.

  4. Add the following lines to the [Certificate Types] section.

    ; ----------------------------------------------------------------------
    ; Certificate types to be used with SCEP
    ; ----------------------------------------------------------------------
    ent_scep_sig=enterprise,SCEP Signing,SCEP Signing Certificate
    ent_scep_enc=enterprise,SCEP Encryption,SCEP Encryption Certificate
    ent_scep_sig_enc=enterprise,SCEP Signing and Encryption,SCEP Signing and Encryption Certificate
    ent_scep_sig_nonrep=enterprise,SCEP Signing and Nonrepudiation,SCEP Signing and Nonrepudiation Certificate
    ; ----------------------------------------------------------------------

  5. Add the following lines to the [Extension Definitions] section.

    ; ----------------------------------------------------------------------
    ; Certificate definitions to be used with SCEP
    ; ----------------------------------------------------------------------
    [ent_scep_sig Certificate Definitions]
    1=Verification_p10
     
    [ent_scep_sig Verification_p10 Extensions]
    keyusage=2.5.29.15,n,m,BitString,1
     
    [ent_scep_sig Advanced]
    noUserInDirectory=1
     
    [ent_scep_enc Certificate Definitions]
    1=Encryption_p10
     
    [ent_scep_enc Encryption_p10 Extensions]
    keyusage=2.5.29.15,n,m,BitString,001
     
    [ent_scep_enc Advanced]
    noUserInDirectory=1
     
    [ent_scep_sig_enc Certificate Definitions]
    1=Dual Usage
     
    [ent_scep_sig_enc Dual Usage Extensions]
    keyusage=2.5.29.15,n,m,BitString,101
     
    [ent_scep_sig_enc Advanced]
    noUserInDirectory=1
     
    [ent_scep_sig_nonrep Certificate Definitions]
    1=Nonrepudiation
     
    [ent_scep_sig_nonrep Nonrepudiation Extensions]
    keyusage=2.5.29.15,n,m,BitString,11
     
    [ent_scep_sig_nonrep Advanced]
    noUserInDirectory=1
    ; ----------------------------------------------------------------------
  6. Save and close the file.
  7. Import the certificate specifications back into Security Manager. In Security Manager Administration, select File > Certificate Specifications > Import.