Configure your MDM system for Connector for SCEP
Simple Certificate Enrollment Protocol (SCEP) is a standard protocol used for certificate enrollment and renewal. Connector for SCEP is a RFC 8894
Connector for SCEP offers two types of connectors—general-purpose and Connector for SCEP for Microsoft Intune. The following sections describe how they work, and how to configure your MDM system to use them.
General-purpose connector
A general-purpose connector is designed to work with mobile device endpoints that support SCEP, except for Microsoft Intune, which has a dedicated connector. With general-purpose connectors, you manage the SCEP challenge passwords. The following diagram uses a mobile device management (MDM) system as an example, but the same functionality applies to analagous SCEP-enabled systems or devices.
The MDM system (or analogous device or system) sends a SCEP profile to the mobile client. A SCEP profile contains configuration parameters that define the certificate profile, such as certificate validity period, challenge password, and other information relevant to the issuance of certificates.
The mobile client requests a certificate and also sends a certificate signing request (CSR) that includes a challenge password.
Connector for SCEP validates the challenge password. If it's valid, then the service requests a certificate from AWS Private CA on behalf of the mobile client.
AWS Private CA issues the certificate and sends it to Connector for SCEP.
Connector for SCEP sends the issued certificate to the mobile client.
AWS Private CA Connector for SCEP for Microsoft Intune
AWS Private CA Connector for SCEP for Microsoft Intune is designed for use with Microsoft Intune. With the Connector for SCEP for Microsoft Intune connector type, you'll use Microsoft Intune to manage your SCEP challenge passwords. For more information about using Connector for SCEP with Microsoft Intune, see Configure Microsoft Intune for Connector for SCEP.
To use Connector for SCEP with Microsoft Intune, you must enable specific functionalities using the Microsoft Intune API, and possess a valid Microsoft Intune license. You should also review the Microsoft Intune® App Protection Policies
Microsoft Intune sends a SCEP profile to the mobile client. The profile contains an encrypted challenge password that the mobile client places into the CSR.
The mobile client requests a certificate and sends the CSR to Connector for SCEP.
Connector for SCEP sends the CSR to Microsoft Intune for authorization.
Microsoft Intune decrypts the challenge password in the CSR. If it's valid, Microsoft Intune sends approval to Connector for SCEP to issue the certificate to the mobile client.
Connector for SCEP requests a certificate from AWS Private CA on behalf of the mobile client.
AWS Private CA issues the certificate and sends it to Connector for SCEP.
Connector for SCEP sends the issued certificate to the mobile client.