Configure EJBCA Server

The following sections cover how to configure the EJBCA server.

Launch an EJBCA Enterprise Cloud Server from AWS

For instructions on how to deploy EJBCA Cloud from Amazon Web Services (AWS) and log in to the EJBCA Admin Web for the first time, refer to the EJBCA Cloud AWS Launch Guide.

Certificate Authority Set up

If you do not already have Certificate Authorities (CAs) configured in EJBCA, follow the EJBCA Enterprise Quick Start Guide to set up a 2 Tier CA Hierarchy.

Modify Workstation End Entity Profile

The Intune device certificates use an Organizational Unit in the Subject DN Attributes. Since this attribute was not added following the Create End Entity Profiles instructions in the EJBCA Cloud AWS Quick Start Guide, do the following to add the attribute in the Corporate Workspace End Entity Profile:

  1. Under RA Functions, select End Entity Profiles.

  2. Edit the Corporate Workspace EE Profile and under Subject DN Attributes, select the (OU) Organizational Unit field for subject DN, and click Add.

    images/download/attachments/143750705/image2019-10-1_17-45-39.png
  3. Click Save to save the Corporate Workspace End Entity Profile.

Configure SCEP

Follow the steps below to create a SCEP alias to issue certificates managed by Intune.

Create New SCEP Alias

To create a new SCEP alias:

  1. Login to EJBCA and click SCEP Configuration under System Configuration.

  2. Click Add .
    images/download/thumbnails/143750705/create_scep_1.png

  3. Specify a name for the new alias, in this example intune, and then click OK.

    images/download/attachments/143750705/create_scep_2.png


    images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg The alias name does not have to be intune - that name is used in this example to align with configuring EJBCA to integrate with Intune.

  4. The new SCEP alias is added to the list of aliases. Next, proceed to configure the Intune SCEP Alias.

Configure Intune SCEP Alias

To configure the newly created Intune SCEP alias:

  1. Click the intune SCEP alias.

    images/download/thumbnails/143750705/create_scep_3.png
  2. Click Switch to edit mode.

    images/download/attachments/143750705/create_scep_4.png
  3. Edit the SCEP alias settings according to the following:

    • Operational mode: Select RA.

    • Authenticate through Microsoft Intune: Select.

    • RA End Entity Profile: Select.

    • RA Certificate Profile: Select the Certificate Profile configured in the End Entity Profile.

    • RA CA Name: Select the Issuing CA configured in the End Entity Profile.

    • Application ID from Azure: Enter the ID obtained from following the procedure in Configure Intune.

    • Application API Secret from Azure: Enter the secret obtained from following the procedure in Configure Intune.

    • Intune Tenant: Specify the Intune Tenant which is the fully qualified domain name (FQDN) of the organization configured in Intune.
      images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg The following fields should be left blank/empty unless using EJBCA in a private Azure cloud such as the Federal gov cloud.

    • Azure Active Directory Auth URL: Azure Active Directory Authentication URL is for issuing the login token and must be specified if not using Azure public cloud for authentication, for example, https://login.microsoftonline.us/

    • Intune resource URL: Specify the token audience if not using Azure public cloud, for example, https://api.manage.microsoft.com/

    • Specific version of graph: The version of the graph URL. If left blank, the default is "v1.0". Note that the default graph API has changed to Microsoft Graph in EJBCA 7.9.

    • Graph resource URL: Auto discovery URL is only needed if not using Azure public cloud, for example, https://graph.microsoft.us
      images/download/attachments/143750705/Screen_Shot_2022-06-27_at_10.57.38.png

      The settings RA name generation scheme, RA name generation parameters, RA name generation prefix, and RA name generation postfix are left with the default values as depicted in the screenshot.

      A Proxy was not required for EJBCA to connect to Intune. If a proxy is required then specify the applicable fields.

      The Return full chain in GetCACert responses setting may need to be cleared in the alias, see SCEP RA Mode configuration values for more information.

  4. Click Save to store the Intune SCEP alias configuration.

Next Step: Configure Intune for Device Certificate Enrollment

Next, Configure Intune for Device Certificate Enrollment.