I notice there is no password or other authorization information other than the SCEP URL being unique and difficult to guess. If someone has your SCEP URL could they enroll into your service without having any passphrase and obtain a certificate for your infrastructure? If the SCEP URL is the only thing authorizing enrollment creation, then it might be good to note that in the UI (please keep this URL private). I also assume that that URL is not embedded into the certs issued?

@keytos

8 ай бұрын

Hi thanks for your comment - while the experience seems simple, what happens in the backend is more complex; we talk about it at 4:30, but the gist is that each request has an encrypted password that is set by the MDM and EZCA (Intune sets their own, some MDM solutions only support a static password that is encrypted with the CA public key meaning that the CA is the only one that can access it, and some support dynamic challenge requests meaning that each specific request has it's own password set by the CA (this one is also encrypted), if you are interested, we have a full deep dive on how SCEP works in this video kzread.info/dash/bejne/lpVqrtSKesa5l9Y.html please let us know if you have other questions