In this post, we shall get an overview of certificate deployment via Intune and discuss the similarities and differences between SCEP ans PKCS
My name Saurabh Sarkar and I am an Intune engineer in Microsoft. I have a YouTube channel ‘EverythingAboutIntune’ and you can subscribe to the same to learn more about Microsoft Intune.
The concept of using certificates:
For any user to access any application, he has to go through 2 phase-
Authentication phase and Authorization phase.
#Authentication phase- User’s authenticity is checked (if the user is, who he claims to be)
#Authorization Phase- User is subjected to some conditions, and depending on the output we determine whether the user should be given access or not.
Conventionally authentication may that be to an App,Wifi,Vpn etc is done by username/password.
However to make this more seamless we introduced the concept of using a certificate for facilitating the authentication.
Advantages of using a certificate for authentication:
- Seamless authentication
- Remove the overhead for the user to enter the username , password.
- More secured
Of course the cert which the user is going to use to prove his authenticity has to come from a trusted location. (A trusted 3rd party CA or on-prem CA).
Certificate deployment via Intune
Via Intune we can push 2 kinds of certificate to devices.
- PKCS and SCEP
- Both have its own advantages and disadvantages but are more or less used to achieve the same usecase- i.e. seamless authentication
In both the cases, the end goal is-
Delivering a certificate from an on-premise CA in the intranet to a device present anywhere in the world over the internet. The device can then leverage this cert for any purpose.
- Simple Certificate Enrollment Protocol.
- Protocol used for issuance of a cert,originally developed by CISCO
- Based on Request/Response model based on http like Get and Post
- The cert has the private key but the private key is not marked as exportable.
- Which means that the private key never leaves the device which makes SCEP more secured than PKCS
- A SCEP cert can be issued to a user/device or an userless device.
- Public Key Cryptography Standard
- PKCS 12<=> PFX.
- Initially developed by MS, now an open standard.
- The private key is exportable
I have written a Microsoft blog which explains why a PKCS certificate cannot be issued to a userless device. (like a DEP device without user affinity) You may refer to it below-
Lets do a comparison between both:
COMPARISON BETWEEN PKCS AND SCEP:-
|Can be deployed via Intune
|Can be deployed via Intune
|Used for seamless auth to VPN, Wifi
|Used for seamless auth VPN, Wifi
|Can be issued to a user (who enrolled the device) or any device attribute
|A SCEP cert can be issued to a user (who enrolled the device) or any device attribute
|Less secured as Private key is marked as exportable
|More secured- private key never leaves the device
|Cannot be issued to a userless device.
|Can issue certificate to userless devices as well- DEP without useraffinity
|Less overhead as only the Intune Connector needs to be installed
|More overhead as we need a new server (NDES), IIS, App proxy and Intune connector
|Less complex to setup due to smaller footprint
|More complex to setup due to larger footprint
|Device talks only to the Intune service which acts as a mediator
|Device talks to the NDES via App Proxy
|Can be loadbalanced but its not very seamless
|Can be loadbalanced more seamlessly
Which one to use.!?
This would be the most FAQ that I get as far as setting up the cert deployment via Intune is concerned.
As seen above in the comparison, both has its advantages and disadvantages.
- On one hand PKCS is easier to deploy and has less components involved. However SCEP is more secured but has an added overhead of more components as illustrated above.
- Both the certs can be used to achieve seamless auth to Wifi and VPN (except PKCS can be used in case of an userless device).
My personal recommendation would be- To use SCEP if we can afford the added infra overhead given it is more secured and can be deployed to userless devices unlike PKCS
- If not, then PKCS would suffice in most of the use cases.
- However its always a safe bet to discuss this with the networking folks and the CA admin to see what kind of certificate they are looking for, which the RADIUS server would authenticate.
- We have to remember that Intune is a delivery mechanism responsible for (in this case) delivering a certificate. Once the cert is down to the device, its pretty much upto the device to present it in order to prove its authenticity.
For more details on SCEP setup/troubleshooting/flow/demo kindly refer to my below demonstration on the same in my Youtube channel
For more details on PKCS setup/troubleshooting/flow/demo, kindly refer to my below demonstration of the same in my Youtube channel