How To Create Intune SCEP CA


  1. Registering the application in your tenant
  2. Create EZCA Resource In Azure
  3. Register Intune Application in Azure Tenant


The first step to get a certificate authority (CA) for Intune is to create your CA in EZCA. The following page will guide you on how to do this.

How to Azure CA for Intune

  1. navigate to the EZCA portal (If you have your private instance go to that specific portal)
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. CA Menu
  4. Click on the “Create CA” Create CA
  5. Select Root CA. Select CA Type
  6. Click Next

Entering CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.
  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
  6. Click Next. CA Details

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility.

    Intune SCEP only supports RSA keys for the issuing certificate authority.

    Crypto Details

CA Certificate Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices
  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching

    For Root CAs we recommend to have a manual Lifecycle since the new Root will have to be added to the trusted root stores of your clients which requires manual steps from the IT team.

  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions. Lifecycle Details
  5. Click Next.

Issuance Policy

  1. Change the Issuing Certificate Type to “SCEP Template”
  2. Set the certificate lifetime for the certificate that will be issued.

    This value will override any value that you set in Intune.

    Select Intune SCEP Certificate Template

Select Location

  1. Select the location where you want your CA to be created.
  2. Click Create Create Intune CA

Download Certificate

  1. Once the CA is created download the CAcertificate. Download CA Cert
  2. Now you are ready to Create your Intune SCEP profiles