PKI in the cloud with SCEPman Part 2

Hello everyone, this is another interesting post about a PKI environment in the cloud. This cool solution of Glueckkanja-gab runs completely in Azure and is great for moving to the cloud. PKI environments can be a lot of management and setting up NDES is time consuming. This solution will save you a lot of time. This is part two of the series. If you missed out on the first part, please click on this link.

Topics in this post
Configure Health Check settings
Configure Autoscaling (optional)
Configure Certificate profiles in Intune
Checking on certificates in Windows
More information
Final thoughts

Configure Health Check settings

  1. We also need to create a Health Check to configure alerts when the service is not responding anymore. First you need to go to the App Service and scroll down to Health Check in the Monitoring section. When you click on Health Check it will first ask you to enable it. You can click on Enable and activate the Health Check. Then we need to configure some settings. First you need to fill in the path with the text /probe. Then you can click on save, the App Service will need to restart.
  1. The Health Check is in place, so now we can configure the Alerts. First you need to go to the App Service and scroll down to Alerts in the Monitoring section. Here you can open the Alerts pane to configure the Alerts. Click on Create and then Alert rule. Now you can click on Add condition. Now an extra screen appears with Signal names. Here you can search for Health check status. Click on Health check status.
  1. Now we can configure the alert settings. First we need to switch the Threshold from Static to Dynamic. Change the Threshold Sensitivity to High. Select 15 minutes on the field of Look at data from the last. Now you can click on Next: Actions.
  1. The next part is the creation of the action group. There should be a button with Create action group. The right subscription and resource group are already selected. The region can be different for your environment. I will choose Global. You can then fill the two empty fields for Action group name and Display name. Then you can click on Next: Notifications.
  1. Change the Notification type to Email/SMS message/Push/Voice. Then a side window will come up. Here you can check Email and fill in your email address. Click on OK and then give the Notification Type a Name. After entering the name you click on Review + create and then on Create.
  1. There is a details tab when you have created the action group. If you somehow closed the deployment, you restart the steps from 19 to 21 to select the existing Action group. Now click on the button Next:Details, to fill in the last part of the configuration of Alerts. Here you must choose the Severity of 0 – Critical and give the Alert rule a name. Then you can click on Review + create and on Create to finish the deployment of the alert rule.

Configure Autoscaling (optional)

  1. This step is optional, but if you have a large environment it is recommenced to configure Autoscaling to automatic scale the SCEPman appliance when needed. To configure Autoscaling you need to go to the App Service and click on Scale out (App Service plan) in the section of Settings. First you click on Custom autoscale. Then you change the field of Autoscale setting name. Change the scale mode and change the Instance limts like the following screenshot. After these changes you can click on Add a rule.
Note
The following settings are recommended but your environment may need different settings. Always check your workload and adjust the settings when needed.
  1. When creating the Scale rule you only have to change the red marked part of the following image. We are now creating the Increase Instance Count Rule. After the changes have been made, you can click on Add.
  1. Now we are going to add an extra rule for decreasing the instance count. So you can click again on Add a rule. Then configure only the red marked part of the following image. When you are done you can click on Add. Then you can Save the configuration and Autoscaling is configured.

Configure Certificate profiles in Intune

  1. In this step we are going to configure certificate profiles for Windows 10 and later in Microsoft Intune to use for security purposes. First we start with the Root certificate. You can download the Root certificate from the base URL of the App Service. Founded in topic Create Root certificate. Go to the portal of Microsoft Intune. And create a Configuration Profile for Windows 10 and later and choose Templates and click on Trusted certificate and click on Create. Now you can upload your .CER file and assign this profile to the same group as the SCEP certificate.
Important
Assigning to the same group as the SCEP Certificate profile is important, or else the deployment of the SCEP Certificate will fail.
  1. Now we are going to configure the Device Certificates for SCEPman in Windows 10 or later. First you need to create a Configuration profile. Click on Windows 10 or later and then on Templates and search for SCEP. Now you will find SCEP certificate. Configure this profile as the following picture. The SCEP Server URL at the last part should look something like this: https://scepman.contoso.com/certsrv/mscep/mscep.dll
  1. We also want to setup User Certificates with SCEPman in Windows 10 or later. You need to create a new Configuration profile like in the last step. But now we choose User as Certificate type. Configure the profile as the following picture. The SCEP Server URL at the last part should look something like this: https://scepman.contoso.com/certsrv/mscep/mscep.dll
  1. You can now test the enrollment of certificates on your device. Make sure the device is enrolled in Intune and you can reach the URL of SCEPman. These profiles can also be tested on enrolled VMs.

Checking on certificates in Windows

  • Now we are going to check if the certificates are pushed to the devices. First, we need check if the profiles have been pushed. then you can start certlm.msc for the user certificates and start certlm.msc for the local computer certificates. Just type the commands in the search bar from Windows. Here you see the cerfiticates in Windows. So, you know that the deployment has worked.

More information

For more information about SCEPman and the pricing you can visit:

Final thoughts

This post is created to show that you can remove your onprem PKI environment and use servives in Azure with SCEPman. This setup could be handy for your Wifi profiles and VPN connectivity. Having an onprem PKI environment could be a lot of management for your IT Team. Especially when you also need NDES. To setup NDES in your PKI environment takes some time and making the PKI environment redundant is also a time-consuming task. So, using services in Azure could save up a lot of time in management. I hope you enjoyed this post and feel free to ask questions in the comments.

Leave a reply

Your email address will not be published. Required fields are marked *