SCEP configuration (Windows Mobile policy)

With the SCEP configuration you enable devices to request certificates from a Certificate Authority using the Simple Certificate Enrollment Protocol (SCEP).

Setting/Field

Description

Description

A description for the configuration.

URL

The web address of the Certificate Authority server.

Use the variable %_SCEPPROXYURL_% to refer to the server URL that is configured on the SCEP tab of the System setup page.

Subject

The name of the entity (for example person or device) that will receive the certificate.

You can use placeholders for user data or device properties.

The value that you enter (with placeholders replaced by the actual data) must be a valid X.500 name.

For example:

  • Enter CN=%_USERNAME_% to specify a user.
  • Enter CN=%_DEVPROP(serial_number)_% to specify a device.

For information on available placeholders, see Placeholders in profiles and policies.

Subject Alternative Name

Optionally, configure one or more Subject Alternative Name (SAN) values.

Click Add and then enter a SAN type and a SAN value.

Challenge

The web address to obtain a challenge password from the SCEP server.

Use the variable %_CACHALLENGE_% to refer to the challenge URL that is configured on the SCEP tab of the System setup page.

Root certificate

The CA certificate.

Select the certificate from the list. The list contains all certificates that you have uploaded in Root certificate configurations of the current profile.

Retries

The number of retries if the server sends a response of type pending.

Retry delay

The number of seconds between retries.

Key size

The size of the public key in the issued certificate.

Make sure that the value matches the size configured on the SCEP server.

Use as digital signature

If you select this check box, the public key can be used as a digital signature.

Use for encryption

If you select this check box, the public key can be used for data encryption.

Hash algorithm

Select one or more hash algorithms that are supported by the SCEP server.
Warning We recommend that you don’t use the SHA-1 algorithm because it is considered unsafe.