Configure Okta as a CA with delegated SCEP challenge for Windows with MEM

Configuring a Certificate Authority (CA) allows you to issue client certificates to your targeted Windows devices. This topic describes how to generate a Simple Certificate Enrollment Protocol (SCEP) URL in Okta and create a SCEP profile with Microsoft Endpoint Manager (MEM).

Prerequisites

• Certificates that are deployed for digital signature, but not for other purposes (for example, encryption)

• Okta Admin Console

• Microsoft Endpoint Manager

  Microsoft Endpoint Manager is a solution platform that unifies several services. It includes Microsoft Intune for cloud-based device management, Configuration Manager for on-premises device management, Co-management, Desktop Analytics, Windows Autopilot, Azure Active Directory, and Endpoint Manager admin center. You can use this procedure if you're using any of these services. For example, you can use this procedure if you're using Microsoft Intune.

• Microsoft Azure

Start this Procedure

• Task 1: Register the AAD app credentials for Okta in Microsoft Azure

• Task 2: Configure management attestation and generate a SCEP URL in Okta

• Task 3: Download the x509 certificate from Okta

• Task 4: Create a Trusted Certificate profile in MEM

• Task 5: Create a SCEP profile in MEM

• Task 6: Verify the certificate installation on a Windows computer

Task 1: Register the AAD app credentials for Okta in Microsoft Azure

1. In Microsoft Azure, click App registrations.

2. Click + New registration.

3. On the Register an application page, enter the following:

   1. Name: Enter a meaningful name for the app.

   2. Supported account types: Select the appropriate supported account type. This procedure was tested with Accounts in this organizational directory only ([Your_Tenant_Name] only - Single tenant) selected.

   3. Redirect URI (optional): Leave blank, or select Web, and then enter a redirect URI.

   4. Click Register.

4. On the app page under Essentials, copy and make a note of the Application (client) ID.

   This value is required for the Okta Admin Console in Task 2.

   

5. Add a client secret:

   1. In the left pane, click Certificates & secrets.

   2. Under Client secrets, click + New client secret.

   3. In the Add a client secret section, enter the following:

      • Description: Optional. Enter a description for the client secret.

      • Expires: Select an expiration time period.

   4. Click Add.

      The secret appears under Client secrets.

   5. In the Client secrets section, copy and make a note of the Value.

      

6. Set the scep_challenge_provider permissions:

   1. In the left pane, click API permissions.

   2. Click + Add a permission.

   3. In the Request API permissions section, scroll down, and then click Intune.

   4. Under What type of permissions does your application require?, click Application permissions.

   5. In the Select permissions search field, enter scep, and then select the scep_challenge_provider checkbox.

      

   6. Click Add permissions.

   7. In the Configured permissions section, click PGrant admin consent for [Your_Tenant_Name].

      

   8. Click Yes in the message that appears.

7. Set the Microsoft Graph Application.Read.All permissions:

   1. Click + Add a permission.

   2. In the Request API permissions section, click Microsoft Graph.

   3. Under What type of permissions does your application require? click Application permissions.

   4. In the Select permissions search field, enter application, expand Application, and then select the Application.Read.All checkbox.

   5. Click Add permissions.

   6. In the Configured permissions section, click PGrant admin consent for [Your_Tenant_Name].

   7. Click Yes in the message that appears.

Task 2: Configure management attestation and generate a SCEP URL in Okta

1. In the Admin Console, go to SecurityDevice integrations.

2. Click the Endpoint management tab.

3. Click Add platform.

4. Select Desktop (Windows and macOS only).

5. Click Next.

6. Configure the following:

   1. Certificate authority: Select Use Okta as Certificate Authority.

   2. SCEP URL challenge type: Select Dynamic SCEP URL, and then select Microsoft Intune (delegated SCEP).

   3. Enter the values that you copied from Microsoft Azure into the following fields:

      • AAD client ID: Enter the value that you copied from Task 1.

      • AAD tenant: Enter your AAD tenant name, followed by .onMicrosoft.com.

      • AAD secret: Enter the secret value that you copied from Task 1.

   For example:

   

7. Click Generate.

8. Copy and save the Okta SCEP URL. This is pasted into the Microsoft Endpoint Manager in Task 5.

Task 3: Download the x509 certificate from Okta

1. In the Admin Console, go to SecurityDevice integrations.

2. Click the Certificate authority tab.

3. In the Actions column for Okta CA, click the Download x509 certificate icon.

4. Rename the downloaded file so that it includes a .cer extension.

   This certificate (CER) file is uploaded to Microsoft Endpoint Manager (MEM) in Task 4.

Task 4: Create a Trusted Certificate profile in MEM

1. In the Microsoft Endpoint Manager (MEM) admin center, go to Devices.

2. Click Configuration profiles.

3. Click + Create profile.

4. In Create a profile, do the following:

   1. Platform: Select Windows 10 and later.

   2. Profile type: Select Templates.

   3. In the Template name section, click Trusted certificate.

      

   4. Click Create.

5. On the Trusted certificate page Basics tab, do the following:

   1. Name: Enter a name for the certificate.

      

   2. Description: Optional. Enter a description for the certificate.

   3. Click Next.

6. On the Trusted certificate page Configuration settings tab, do the following:

   1. Certificate file: Select the x509 certificate (CER) file that you downloaded from Okta in Task 1.

   2. Destination store: Select Computer certificate store - Intermediate.

   3. Click Next.

7. On the Trusted certificate page Assignments tab, do the following:

   1. Included groups: Assign the trusted certificate profile to one or more user groups. The user groups must be the same as the groups where you assign the SCEP profile in Task 5.

      Make sure the user groups specified in both profiles are the same.

   2. Click Next.

8. On the Trusted certificate page Applicability Rules tab, do the following:

   1. Configure any required rules.

   2. Click Next.

9. On the Trusted certificate page Review + create tab, review the configuration, and then click Create.

Task 5: Create a SCEP profile in MEM

1. In the Microsoft Endpoint Manager admin center, go to Devices.

2. Click Configuration profiles.

3. Click + Create profile.

4. In Create a profile, enter the following:

   1. Platform: Select Windows 10 or later.

   2. Profile type: Select Templates.

   3. Under the Template name list, click SCEP certificate.

      

   4. Click Create.

5. On the SCEP certificate page Basics tab, do the following:

   1. Name: Enter a name for the certificate.

   2. Description: Optional. Enter a description for the certificate.

      

   3. Click Next.

6. On the SCEP certificate page Configuration settings tab, do the following:

   1. Certificate type: Select User.

   2. Subject name format: Enter a subject name. For example, CN={{UserPrincipalName}},G={{GivenName}},SN={{SurName}} ma (ma denotes management attestation).

      Okta has no specific format requirements for this field. You can use this field to indicate the certificate's purpose as a device management signal for Okta or use profile variables provided by MEM. For a list of supported variables, see Use SCEP certificate profiles with Microsoft Intune.

   3. Key storage provider (KSP): Select Enroll to Trusted Platform Module (TPM) KSP if present, otherwise Software KSP.

   4. Key usage: Select Digital signature.

   5. Key length: Select 2048.

   6. Hash algorithm: Select SHA-2.

   7. Click + Root Certificate.

   8. On the Root Certificate page, select the trusted certificate that you created in Task 4.

   9. Click OK.

   10. Under Extended key usage, set Predefined values to Client Authentication.

   11. SCEP Server URLs: Enter the SCEP URL that you generated in Task 2.

       

   12. Click Next.

7. On the SCEP certificate page Assignments tab, do the following:

   1. Assign the SCEP certificate to the same user groups to which you assigned the Trusted certificate profile in Task 4.

      Make sure the user groups specified in both profiles are the same.

   2. Click Next.

8. On the SCEP certificate page Applicability Rules tab, do the following:

   1. Configure any required rules.

   2. Click Next.

9. On the SCEP certificate page Review + create tab, review the configuration, and then click Create.

Task 6: Verify the certificate installation on a Windows computer

1. Verify the client certificate installation:

   1. On the Windows computer, click Start and type cert and then click Manage user certificates.

   2. Look in PersonalCertificates.

2. Verify the Certificate Authority:

   1. On the Windows computer, click Start and type cert and then click Manage user certificates.

   2. Look in Intermediate Certificate AuthorityCertificates.

   3. In Issued To, find and double-click Organization Intermediate Authority.

   4. Find Issuer: Organization Root Authority.

   If you don't find the certificate, check the logs as described in step 3.

3. Verify that the SCEP certificate was successfully installed:

   1. On the Windows computer, click Start, type Event, and then click Event Viewer.

   2. Look in Applications and Service LogsMicrosoftWindowsDeviceManagement-EnterpriseAdmin.

   3. In the General tab, find:

      • SCEP: Certificate installed successfully.

      • SCEP: Certificate request generated successfully

Next steps

Add an authentication policy rule for desktop