Skip to main content

Windows Device SCEP Policy (CSP-based)

Updated yesterday

The Windows Device SCEP Policy (CSP-based) uses Windows CSP to enroll and install the SCEP certificate in the device certificate store. Applies to the machine regardless of the logged-in user. It allows administrators to automatically deploy and manage SCEP (Simple Certificate Enrollment Protocol) certificates on Windows devices enrolled in Swif.ai. This policy is commonly used to distribute client certificates for Wi-Fi, VPN, Zero Trust authentication, and certificate-based device identity.

This policy supports both company-owned and BYOD Windows devices.

When to Use This Policy

Use this policy when you need your Windows devices to automatically request, install, and update certificates from a SCEP server such as:

  • Okta Device Identity SCEP

  • Microsoft NDES / Intune SCEP

  • Cisco Identity Services Engine (ISE)

  • EJBCA, JAMF, or custom PKI environments

  • Any RFC-compliant SCEP server

If your organization follows the Swif.ai guide for installing an Okta SCEP profile on Windows devices, this is the policy you will configure: Learn more ➡️ .

This policy ensures that the Windows device securely obtains a certificate from the SCEP server and stores it in the Windows certificate store.

Requirements

  • Windows 10 or later

  • A functioning SCEP server

  • SCEP server details (URL, challenge code, key usage settings, etc.)

Overview of Settings

Below are the configuration settings available in the Windows Device SCEP Policy (CSP-based).

SCEP Name

A friendly name for the certificate profile.
Example:

Okta SCEP

Retry Count

Number of retry attempts if enrollment is pending or fails.
Default: 3

Retry Delay

Delay in minutes between retry attempts.
Default: 5

Key Usage

Defines the certificate key usage bits.

Example values:

  • 128 → Digital Signature

  • 160 → Digital Signature + Key Encipherment

Your SCEP server documentation will specify what is required.

Key Length

Private key length used in certificate creation.

Supported:

  • RSA 2048

  • RSA 4096

Hash Algorithm

Hashing algorithm used in certificate signing.

Supported:

  • SHA-1

  • SHA-2 family (SHA-256, SHA-384, SHA-512)

Multiple algorithms may be comma-separated.

Subject Name

The certificate subject (DN).

Example:

CN={deviceSerialNumber}, O=ExampleCorp, C=US

Subject Alternative Name (SAN)

Additional identifiers to include in the certificate.

Supports:

  • DNS:{hostname}

  • UPN:{email}

  • EMAIL:{email}

  • IP:{deviceIP}

Example:

DNS:{deviceHostname};UPN:{userPrincipalName}

Multiple entries must be separated by semicolons.

Valid Period

Specifies the certificate validity period unit:

  • Days

  • Months

  • Years

Valid Period Units

Numeric value corresponding to the selected period.

Example:

  • Valid Period = Years

  • Valid Period Units = 1
    → Certificate is valid for 1 year.

EKU Mapping

Extended Key Usage items.

Example:

1.3.6.1.5.5.7.3.2

(Used for client authentication)

Multiple EKUs are comma-separated.

Key Protection

Where to store and protect the private key.

Options:

  • Private key saved in software KSP

  • Private key saved in TPM KSP (if supported)

Server URL

One or more SCEP enrollment server URLs.
Separate multiple URLs with a semicolon.

Example:

https://scep.example.com/scep;https://backup-scep.example.com/scep

Challenge

The SCEP enrollment challenge (password/token).
Provided by your SCEP provider (Okta, NDES, etc.).

Example:

myScepSharedSecret123

CA Thumbprint

Used to validate the CA certificate during enrollment.
This must be the SHA-1 thumbprint in hex format.

Example:

‎e3a1f3b2c4d597ab88e27d2f5549eaab234fe312

If the device cannot match this thumbprint to the returning CA certificate, enrollment will fail.

How to Use This Policy (Example: Okta SCEP)

When integrating with Okta Identity Engine for device certificates:

  1. Configure Okta’s SCEP application.

  2. Obtain:

    • SCEP URL

    • CA Thumbprint

    • SCEP Shared Secret (Challenge)

  3. Create a new Windows Device SCEP Policy (CSP-based) in Swif.ai.

  4. Enter the above values in the policy fields.

  5. Assign the policy to your Windows device group.

  6. Devices will automatically enroll and install the certificate.

Full walkthrough:
➡️ https://help.swif.ai/en/articles/12611094-install-an-scep-profile-from-okta-to-windows-devices#h_c786698cb0

Troubleshooting

Certificate isn’t installing

  • Verify the SCEP URL is reachable from the device.

  • Ensure the CA thumbprint matches exactly.

  • Confirm the challenge value is valid.

  • Check Windows Event Viewer → Applications and Services Logs / Microsoft / Windows / CertificateServices-Client-CertEnroll.

Device repeatedly retries enrollment

  • Increase retry delay.

  • Ensure the SCEP server is not returning “pending” status for too long.

Certificate shows wrong subject or SAN

  • Review the subject and SAN formatting.

  • Confirm placeholders like {deviceHostname} are supported.

Best Practices

  • Use TPM-backed key protection for higher security when available.

  • Limit certificate validity to 1 year or less following modern security recommendations.

  • Use multiple SCEP URLs for redundancy.

  • Use this policy with:

    • Wi-Fi EAP-TLS

    • VPN certificate authentication

    • Zero-trust device verification

Related Articles
Configuring a Policy for RADIUS Wi-Fi on Windows
How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPman as the SCEP Certificate Provider
Configuring a Policy for Windows VPN with RADIUS + SCEP
Configuring a Policy for RADIUS Wi-Fi on Linux
Install an SCEP Profile from Okta to Windows Devices
Did this answer your question?