Product Documentation

To create an iOS SCEP profile

Mar 06, 2014
  1. In the Device Manager web console, on the Policies tab under iOS, click Configurations.
  2. In the New Configuration menu, click Profiles and Settings > SCEP.
  3. In the SCEP Configuration Creation dialog box, enter the policy identifier (name), display name, company name, and an optional comment.
  4. Next, select the SCEP tab and then enter the following information:
    1. URL Base. Enter the address of the SCEP server to define where SCEP requests will be sent, over HTTP or HTTPS. Because the private key isn’t sent with the CSR, it may be safe to send the request unencrypted. However, if the one-time password is allowed to be reused, you should use HTTPS to protect the password.
    2. Instance Name. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates, this field can be used to distinguish which is required.
    3. Subject X.500 Name. The representation of a X.500 name represented as an array of OID and value. For example, /C=US/O=Apple Inc./CN=foo/1.2.5.3=bar, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ ["1.2.5.3", "bar" ] ] ] OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN).
    4. Subject Alternative Name Type. Select an alternative name type.
    5. Subject Alternative Name Value. The SCEP policy can specify an optional alternative name type that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values.
    6. NT Principal Name. Used if the device is connecting to an NT network.
    7. Retries. Number of retries if user enters an incorrect password.
    8. Retry Delay. Time interval after which the lockout after maximum number of retries is exceeded.
    9. Challenge. A pre-shared secret.
    10. Key Size. The key size in bits, either 1024 or 2048.
    11. Use as digital signature. This allows you to specify if you want the certificate to be used as a digital signature. If someone is using the certificate to verify a digital signature, such as verifying whether a certificate was issued by a certificate authority, the SCEP server would verify that the certificate can be used in this manner prior to using the public key to decrypt the hash.
    12. Use for key encipherment. This allows you to specify if you want to certificate to be used for key encipherment. If a server is using the public key in a certificate provided by a client to verify that a piece of data was encrypted using the private key, the server would first check to see if the certificate can be used for key encipherment. If not, it would fail the operation.
    13. SHA1/MD5 Fingerprint (hexadecimal string). If your CA uses HTTP, use this field to provide the fingerprint of the CA certificate, which the device uses to confirm authenticity of the CA response during enrollment. You can enter a SHA1 or MD5 fingerprint, or select a certificate to import its signature.
  5. Click Create.