Configuring the certificate template on the SCEP server

Configure a certificate template on the SCEP server for use with IBM® MaaS360®.

Before you begin

If you already have a working template, use the instructions in this procedure to confirm that your template is configured correctly.

Procedure

  1. Log on to the Microsoft SCEP server with the SCEP Admin credentials.
  2. Open the Server Manager and select Tools > Certificate Authority. Select your Certificate Authority, right-click on Certificate Templates, and then click Manage.
  3. Right-click Computer > Duplicate Template.
    Note:
    • Do not duplicate a user template. Microsoft SCEP does not work with user templates.
    • If your template is based on a user template, create a new template based on the computer template.
    • Devices do not differentiate between a certificate from a user template and a device template. All certificates are treated as user certificates on the iOS device.
  4. From the Compatibility tab, select Windows Server 2016 as the minimum supported CA version. (Windows Server 2012 and 2012 R2 are reaching the end of support by Microsoft. For more information about the end of support for Windows Server 2012 and 2012 R2, see https://learn.microsoft.com/en-us/lifecycle/announcements/windows-server-2012-r2-end-of-support.)
    The New Template Properties window is displayed.
  5. From the General tab, complete the following steps.
    1. Enter a template display name.
    2. Copy the template name (without spaces) to use later.
    3. Optional: Select Publish certificate in Active Directory.
  6. From the Request Handling tab, select the following options.
    • Select the Include symmetric algorithms allowed by the subject checkbox.
    • Allow private key to be exported.
  7. From the Subject Name tab, select Supply in the request.
    The Cloud Extender® template supplies the subject.
  8. From the Security tab, make sure that the following accounts exist and they use the correct permissions (add the accounts if needed).
    Account Permission
    Authenticated users Read
    SCEP Service Account (from Installing Microsoft NDES on a Windows server) Read, Enroll
    Domain Administrators Read, Write, Enroll
    Enterprise Administrators Read, Write, Enroll
    Device Administrator (from Installing Microsoft NDES on a Windows server) Read, Enroll
  9. From the Extensions tab, complete the following steps.
    1. Add Client Authentication and Server Authentication.
    2. Optional: Add Encrypting File System and MaaS360 Email.
    3. Confirm Subject Type = Computer for Certificate Template Information.
  10. Click Apply to close the template.

What to do next

Enabling a new certificate template on the CA