To create an iOS SCEP profile
- In the Device Manager web console, on the
Policies tab under
- In the
New Configuration menu, click
- In the SCEP Configuration Creation dialog
box, enter the policy identifier (name), display name, company name, and an
- Next, select the
SCEP tab and then enter the following information:
- URL Base. Enter the address of the SCEP
server to define where SCEP requests will be sent, over HTTP or HTTPS. Because
the private key isn’t sent with the CSR, it may be safe to send the request
unencrypted. However, if the one-time password is allowed to be reused, you
should use HTTPS to protect the password.
- Instance Name. Any string that is
understood by the SCEP server. For example, it could be a domain name like
example.org. If a certificate authority has multiple CA certificates, this field
can be used to distinguish which is required.
- Subject X.500 Name. The representation
of a X.500 name represented as an array of OID and value. For example,
/C=US/O=Apple Inc./CN=foo/184.108.40.206=bar, which would translate to:
[ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [
["220.127.116.11", "bar" ] ] ]
OIDs can be represented as dotted numbers, with
shortcuts for country (C), locality (L), state (ST), organization (O),
organizational unit (OU), and common name (CN).
- Subject Alternative Name Type. Select an
alternative name type.
- Subject Alternative Name Value. The SCEP
policy can specify an optional alternative name type that provides values
required by the CA for issuing a certificate. You can specify a single string
or an array of strings for each key. The values you specify depend on the CA
you're using, but might include DNS name, URL, or email values.
- NT Principal Name. Used if the device
is connecting to an NT network.
- Retries. Number of retries if user
enters an incorrect password.
- Retry Delay. Time interval after which
the lockout after maximum number of retries is exceeded.
- Challenge. A pre-shared secret.
- Key Size. The key size in bits, either
1024 or 2048.
- Use as digital signature. This allows
you to specify if you want the certificate to be used as a digital signature.
If someone is using the certificate to verify a digital signature, such as
verifying whether a certificate was issued by a certificate authority, the SCEP
server would verify that the certificate can be used in this manner prior to
using the public key to decrypt the hash.
- Use for key encipherment. This allows
you to specify if you want to certificate to be used for key encipherment. If a
server is using the public key in a certificate provided by a client to verify
that a piece of data was encrypted using the private key, the server would
first check to see if the certificate can be used for key encipherment. If not,
it would fail the operation.
- SHA1/MD5 Fingerprint (hexadecimal
string). If your CA uses HTTP, use this field to provide the
fingerprint of the CA certificate, which the device uses to confirm
authenticity of the CA response during enrollment. You can enter a SHA1 or
MD5 fingerprint, or select a certificate to import its signature.