Get started with Connector for SCEP - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Get started with Connector for SCEP

With Amazon Private Certificate Authority Connector for SCEP, you can issue certificates from your private CA to SCEP-enabled devices and mobile device management (MDM) systems. When you create a connector, Amazon Private Certificate Authority creates a public SCEP URL for you to request certificates, and also provides you with information that you can use to integrate into your MDM systems.

To issue certificates, you must create an Amazon Private Certificate Authority private CA, create a connector, and then configure your SCEP-enabled MDM systems and devices to request certificates from the connector.

Before you begin

The following tutorial guides you through the process of creating a connector for SCEP.

To follow this tutorial, you'll need a private CA and a SCEP-enabled device. You also must first fulfill the prerequisites listed in the Set up Connector for SCEP section.

The following procedure guides you how to create a connector using the Amazon console.

Step 1: Create a connector

You'll create either a connector for general-purpose use or Connector for SCEP for Microsoft Intune. General-purpose connectors are designed for use with SCEP-enabled endpoints, and you manage the SCEP challenge passwords. Connector for SCEP for Microsoft Intune are for use with Microsoft Intune, and you manage the challenge passwords using Microsoft Intune.

General-purpose
To create a connector for general-purpose use

Sign in to your Amazon account and open the Connector for SCEP console at https://console.amazonaws.cn/pca-connector-scep/home.

  1. Choose Create connector.

  2. In the Create connector page, optionally give the connector a friendly name in the Name tag field. The name will be displayed in your list of connectors. If you wish, you can add more tags to the connector by selecting Add more tags. A tag is a label that you assign to an Amazon resource. Each tag consists of a key and an optional value. You can use tags to search and filter your resources or track your Amazon costs.

  3. Under Connector type, choose General-purpose.

  4. Under Private CA, choose the private CA to use with this connector. Or, create a new one by selecting Create private CA. Due to the inherent vulnerabilities in the SCEP protocol, we recommend using a private CA that's dedicated to this connector. If you created a new CA, when you finish creating it in Amazon Private CA, return to the Connector for SCEP console and refresh the list of private CAs. Your new private CA should be available for selection.

  5. Under Challenge password select Automatically generate challenge password. We’ll generate a static challenge password for you when we create this connector.

  6. Select Create connector.

Microsoft Intune
To create Connector for SCEP for Microsoft Intune

Sign in to your Amazon account and open the Connector for SCEP console at https://console.amazonaws.cn/pca-connector-scep/home.

  1. Choose Create connector.

  2. On the Create connector page, optionally give the connector a friendly name in the Name tag field. The name will be displayed in your list of connectors. If you wish, you can add more tags to the connector by selecting Add more tags. A tag is a label that you assign to an Amazon resource. Each tag consists of a key and an optional value. You can use tags to search and filter your resources or track your Amazon costs.

  3. Under Connector type, choose Microsoft Intune.

    1. For Application (client) ID, enter the application (client) ID from your Microsoft Entra ID app registration. For information about using Microsoft Intune with Connector for SCEP, see Configure your MDM system for Connector for SCEP.

    2. For Directory (tenant) ID or primary domain, enter either the directory (tenant) ID or primary domain from your Microsoft Entra ID app registration.

  4. Under Private CA, choose the private CA to use with this connector. Or, create a new one by selecting Create private CA. Due to the inherent vulnerabilities in the SCEP protocol, we recommend using a private CA that's dedicated to this connector. If you created a new CA, when you finish creating it in Amazon Private CA, return to the Connector for SCEP console and refresh the list of private CAs. Your new private CA should be available for selection.

  5. Select Create connector.

Step 2: Copy connector details into your MDM system

After you create your connector, you'll need to copy the following details from the connector into your MDM system. To view a connector's details using the console, select the connector from the list on the Connectors for SCEP console page.

  • Public SCEP URL - This is the connector's endpoint where your SCEP clients will request certificates from. Take care to only provide this endpoint to trusted entities.

  • (General-purpose) Challenge password - Under Challenge passwords, select the password that you automatically generated in the preceding procedure and then select View password to view the password. To create an additional password, select Create password. Take care to distribute passwords carefully and to only highly trusted individuals and clients. A single challenge password can be used to issue any certificate, with any subject and SANs, and so should be handled with care.

  • (Microsoft Intune) Open ID values - If you're integrating with Microsoft Intune, you must copy the Open ID issuer, Open ID subject, and Open ID audience into your Microsoft Entra app registration's OpenID Connect (OIDC) credential. For more information, see Configure your MDM system for Connector for SCEP.