SCEP Payload
Description
Section titled “Description”This payload can be used to enroll a certificate using the Simple Certificate Enrollment Protocol
In order to use this, it is assumed that you have a SCEP server that can distribute a certificate for the devices which this payload is deployed to.
Configuration
Section titled “Configuration”| MANDATORY | CONFIGURATION | DESCRIPTION | EXAMPLE |
|---|---|---|---|
| Yes | Server URL | The base URL for the SCEP server. | http://scep.example.com:1640/pkiclient.exe |
| Name | The name of the instance: CA-IDENT Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required.. | My Certificate | |
| Yes | Subject | Representation of an X.500 name Optional. The representation of an X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ [“C”, “US”] ], [ [“O”, “Apple Inc.”] ], …, [ [“1.2.5.3”, “bar” ] ] ] OIDs can be represented as dotted numbers, with shortcuts for the country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).. | O=CapaSystems A/S, OU=Test |
| Challenge | Used as the pre-shared secret for automatic enrollment. Optional. A pre-shared secret. | ||
| Yes | Key Size | Key size in bits. Optional. The key size in bits, either 1024 or 2048. | 2048 |
| Yes | Key Type | Optional. Currently always “RSA”.. | RSA |
| Use for digital signature and key encipherment | Optional. A bitmask indicating the use of the key. 1 is signing, 4 is encryption, 5 is both signing and encryption. Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time. | ||
| Subject Alternate Name Type | The type of a subject alternate name The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you’re using, but might include DNS name, URL, or email values. | ||
| Fingerprint | HEX string to be used as a fingerprint. | ||
| ONLY FOR IOS 12 OR NEWER | |||
| The number of times the device should retry | Defaults to 3 | ||
| The number of seconds to wait between subsequent retries | The first retry is attempted without this delay. Defaults to 10. | ||
| If set, all apps have access to the private key | The default is not set | ||
| If not set, the private key cannot be exported from the keychain | Default is set |
Read More
Section titled “Read More”