Certificate Enrollment Gateway authenticates to Microsoft Intune using a client secret (also called an application key). Client secrets are created in Intune, and will expire after a configurable amount of time, such as two years. If the client secret used by Certificate Enrollment Gateway expires, Certificate Enrollment Gateway cannot authenticate to Intune, and therefore can no longer issue certificates to SCEP clients.

Intune allows you to create multiple client secrets. Before a client secret used by Certificate Enrollment Gateway expires, you should create a new client secret in Intune, and then change the application key in Certificate Enrollment Gateway. Certificate Enrollment Gateway can then use the updated application key to authenticate to Intune.

To generate a new client secret

  1. Log in to the Microsoft Azure portal.
  2. Under Azure services, click Azure Active Directory.
  3. Click App Registrations.
  4. Select the application you created earlier for the CEG Service.
  5. Click Certificates & secrets.
  6. Click New client secret. The Add a client secret page appears.
  7. For Description, enter a description of the client secret.
  8. For Expires, select a lifetime for the client secret.
  9. Click Add. The client secret is displayed under the Client secrets pane.

  10. Record the client secret. For example:

    abcdefghijklmnopqrstuvwxyz123456

    The client secret is also known as the Application Key. You need this value to update the application key used by Certificate Enrollment Gateway to connect to Microsoft Intune.

To update Certificate Enrollment Gateway to use the new application key

  1. Log in into the Management Console as explained in Logging into the Management Console.
  2. In the Certificate Enrollment Gateway pane, click Manage Solution.
    A Certificate Enrollment Gateway page appears.
  3. In the left navigation bar, click Configuration.
    A Product Configuration pane appears.
  4. Turn on Enable Advanced Configuration.
  5. Click Next.
  6. For the Intune settings (see Intune), update each Registered Azure Application Key (Client Secret) setting to use the new application key (client setting) value.
  7. After configuring the settings, click Validate to validate the settings.
    If any configuration errors are detected, correct the errors then click Validate again.
  8. After validating the configuration settings, click Next.
    Entrust PKI Hub uploads the configuration and any attached files, such as P12 credentials.
  9. In the Product Deployment Status pane, re-deploy Certificate Enrollment Gateway with the updated configuration file by clicking Deploy.
    A dialog box appears, prompting you to confirm the operation. Click Yes to confirm the operation and deploy the Certificate Enrollment Gateway solution.