Traditional SCEP enrollment uses a static password for authentication. This static password is vulnerable to brute force attacks. Entrust worked with Microsoft Intune to co-develop a secure authentication mechanism for SCEP enrollment.
Certificate Enrollment Gateway can receive SCEP requests with a CSR (certificate signing request) from Windows clients, and send the CSR to Intune for validation.
Certificate Enrollment Gateway works with Intune as follows:
- Microsoft Intune pushes a certificate profile and SCEP challenge to a Windows client.
- The Windows client sends a SCEP request with a CSR from the Intune system to the Certificate Enrollment Gateway.
- During the validation process of the SCEP request, Certificate Enrollment Gateway sends the CSR to the Intune service to validate the CSR.
- If the CSR is valid:
- Certificate Enrollment Gateway sends the CSR to Entrust CA Gateway, which forwards the CSR to the Managed CA for processing. A Gateway can issue digital certificates for one or more Certification Authorities (CAs). Each of these CAs is called a Managed CA.
- The Managed CA processes the request, and issues a certificate for the device.
- The Managed CA sends the certificate back to CA Gateway, which forwards the certificate back to Certificate Enrollment Gateway.
- Certificate Enrollment Gateway returns the certificate to the Windows client. The Windows client will import the certificate into the client’s certificate store.
- Upon success or failure, Certificate Enrollment Gateway calls the Intune system to relay the status information.
- With the certificate, the Windows client can access protected resources.
For more information about how non-Microsoft CAs work with Microsoft Intune, see the Microsoft documentation.