Skip to main content

Windows SCEP Certificate Policy

Updated yesterday

The Windows SCEP Certificate Policy allows administrators to automatically deploy and manage SCEP (Simple Certificate Enrollment Protocol) certificates on Windows devices enrolled in Swif.ai. This policy is commonly used to distribute client certificates for Wi-Fi, VPN, Zero Trust authentication, and certificate-based device identity.

This policy supports both company-owned and BYOD Windows devices.

When to Use This Policy

Use this policy when you need your Windows devices to automatically request, install, and update certificates from a SCEP server such as:

  • Okta Device Identity SCEP

  • Microsoft NDES / Intune SCEP

  • Cisco Identity Services Engine (ISE)

  • EJBCA, JAMF, or custom PKI environments

  • Any RFC-compliant SCEP server

If your organization follows the Swif.ai guide for installing an Okta SCEP profile on Windows devices, this is the policy you will configure: Learn more ➡️ .

This policy ensures that the Windows device securely obtains a certificate from the SCEP server and stores it in the Windows certificate store.

Requirements

  • Windows 10 or later

  • A functioning SCEP server

  • SCEP server details (URL, challenge code, key usage settings, etc.)

Overview of Settings

Below are the configuration settings available in the Windows SCEP Certificate Policy.

SCEP Name

A friendly name for the certificate profile.
Example:

Okta SCEP

Retry Count

Number of retry attempts if enrollment is pending or fails.
Default: 3

Retry Delay

Delay in minutes between retry attempts.
Default: 5

Key Usage

Defines the certificate key usage bits.

Example values:

  • 128 → Digital Signature

  • 160 → Digital Signature + Key Encipherment

Your SCEP server documentation will specify what is required.

Key Length

Private key length used in certificate creation.

Supported:

  • RSA 2048

  • RSA 4096

Hash Algorithm

Hashing algorithm used in certificate signing.

Supported:

  • SHA-1

  • SHA-2 family (SHA-256, SHA-384, SHA-512)

Multiple algorithms may be comma-separated.

Subject Name

The certificate subject (DN).

Example:

CN={deviceSerialNumber}, O=ExampleCorp, C=US

Subject Alternative Name (SAN)

Additional identifiers to include in the certificate.

Supports:

  • DNS:{hostname}

  • UPN:{email}

  • EMAIL:{email}

  • IP:{deviceIP}

Example:

DNS:{deviceHostname};UPN:{userPrincipalName}

Multiple entries must be separated by semicolons.

Valid Period

Specifies the certificate validity period unit:

  • Days

  • Months

  • Years

Valid Period Units

Numeric value corresponding to the selected period.

Example:

  • Valid Period = Years

  • Valid Period Units = 1
    → Certificate is valid for 1 year.

EKU Mapping

Extended Key Usage items.

Example:

1.3.6.1.5.5.7.3.2

(Used for client authentication)

Multiple EKUs are comma-separated.

Key Protection

Where to store and protect the private key.

Options:

  • Private key saved in software KSP

  • Private key saved in TPM KSP (if supported)

Server URL

One or more SCEP enrollment server URLs.
Separate multiple URLs with a semicolon.

Example:

https://scep.example.com/scep;https://backup-scep.example.com/scep

Challenge

The SCEP enrollment challenge (password/token).
Provided by your SCEP provider (Okta, NDES, etc.).

Example:

myScepSharedSecret123

CA Thumbprint

Used to validate the CA certificate during enrollment.
This must be the SHA-1 thumbprint in hex format.

Example:

‎e3a1f3b2c4d597ab88e27d2f5549eaab234fe312

If the device cannot match this thumbprint to the returning CA certificate, enrollment will fail.

How to Use This Policy (Example: Okta SCEP)

When integrating with Okta Identity Engine for device certificates:

  1. Configure Okta’s SCEP application.

  2. Obtain:

    • SCEP URL

    • CA Thumbprint

    • SCEP Shared Secret (Challenge)

  3. Create a new Windows SCEP Certificate Policy in Swif.ai.

  4. Enter the above values in the policy fields.

  5. Assign the policy to your Windows device group.

  6. Devices will automatically enroll and install the certificate.

Full walkthrough:
➡️ https://help.swif.ai/en/articles/12611094-install-an-scep-profile-from-okta-to-windows-devices#h_c786698cb0

Troubleshooting

Certificate isn’t installing

  • Verify the SCEP URL is reachable from the device.

  • Ensure the CA thumbprint matches exactly.

  • Confirm the challenge value is valid.

  • Check Windows Event Viewer → Applications and Services Logs / Microsoft / Windows / CertificateServices-Client-CertEnroll.

Device repeatedly retries enrollment

  • Increase retry delay.

  • Ensure the SCEP server is not returning “pending” status for too long.

Certificate shows wrong subject or SAN

  • Review the subject and SAN formatting.

  • Confirm placeholders like {deviceHostname} are supported.

Best Practices

  • Use TPM-backed key protection for higher security when available.

  • Limit certificate validity to 1 year or less following modern security recommendations.

  • Use multiple SCEP URLs for redundancy.

  • Use this policy with:

    • Wi-Fi EAP-TLS

    • VPN certificate authentication

    • Zero-trust device verification

Related Articles
Configuring a Policy for RADIUS Wi-Fi on Windows
How to Configure Swif.ai RADIUS Wi-Fi Policy Using SCEPman as the SCEP Certificate Provider
Configuring a Policy for Windows VPN with RADIUS + SCEP
Configuring a Policy for RADIUS Wi-Fi on Linux
Install an SCEP Profile from Okta to Windows Devices
Did this answer your question?