Installing the IdExMicro SCEP connector
Information about the IdExMicro is located here SCEP Relay Service
Checklist
- Signer certificate is installed in the computer local store: This is the PFX / Private Key/ Certificate of the certificate that will signing/encrypting/decrypting SCEP requests
- Issuer certificate (IssuerCertificateSerialNumber). The PFX installed in the computer local store that is used to sign/encrypt/decrypt SCEP requests
- IDMS Operator certificate: The PFX that will log into the IDMS Web Api
- The web.config allows a long URL by having: <system.web> <httpRuntime maxUrlLength="10999" maxQueryStringLength="2097151" /> and <system.webServer> <security> <requestFiltering> <requestLimits maxUrl="10999" maxQueryString="2097151" /> </requestFiltering> </security>
Certificate Setup:
| IdExchange | InTune |
|---|---|
The IssuerCertificateSerialNumber is configured to use the Issuing CA (not the root CA). The SignerCertificateSerialNumber is configured to use a end entity certificate that can sign and encrypt. | The root CA of the CA that will be issuing certificates has a "Trusted Certificate" policy created. This policy is installed successfully to the mobile device. The issuing CA (if a 2 tier CA) of the CA that will be issuing certificates has a "Trusted Certificate" policy created. This policy is installed successfully to the mobile device. IOS SCEP Policy If a 2 tier CA, The IOS SCEP policy is configured to use the Issuing CA (not the root CA) in the IOS SCEP Policy If a single tier CA, the IOS SCEP policy is configured to use the Root CA in the IOS SCEP Policy |
Microsoft IIS
Signing PFX installed in the personal store of the computer store of the server. This certificate will be used to sign the SCEP messages. Instructions are located here: Generating Scep Signing Certificates
Issuing certificate installed the trusted root certificate store of the server. The Scep service must return the issuing root ca certificate of the CA that will be used to issue the mobile credentials. Instructions are located here: Generating Client Certificates
IDMS operator PFX installed in the personal store with "credential issuer" as one of the roles in IDMS. This certificate is used for the IdExMicro to connect to IDMS to transmit data.
Installation
| 1 | Install the signing, issuing, and webApi certificate |
|
| 2 | Install the IdExchange Microservice Run the IdExMicroInstaller.exe | |
| 3 | Prepare IIS Under the IDMS website create a new application. Name it the "DeviceRegistration" then point the physical path to the installed Microservice folder. |
|
| 4 | Update the web.config to point to the appropriate PFX serial numbers For certificate generation instructions, refer here: Generating Scep Signing Certificates Edit the IssuerCertificateSerialNumber to match the root certificate authority serial number. Edit the "SignerCertificateSerialNumber" to match the users certificate serial number which has permission to access the CA Next Edit the "IdmsOperatorSerialNumber" to match the users certificate serial number which has permission to access the IDMS operator portal. Lastly, edit the "WebApiUrl" to point to the IDMS Web URL. |
|
| 5 | Go to IIS manager, select Ignore certificates |
|
| 6 | Test the connection by navigating to: http://localhost/DeviceRegistration/api/pkiclient.exe/?operation=GetCACaps Given port 80 for http is used. Edit the "localhost" to the domain name. |
|
.png?inst-v=7f7390d9-66e2-4be8-b6be-089980dd974f)