Having a Third-party certification authority setup with Intune we want to have a means to smoke-test the whole setup end-to-end every few minutes, to make sure it's available when needed.
Specifically:
Is the partner certification authority's SCEP server still compatible with the latest Intune API?
Is the connection between 3P SCEP server and Intune still intact?
Can the 3P SCEP server authorize itself in an Intune App to perform CSR validation?
Can it also work with a newly created Intune App (in case something changes in Intune)?
The obvious way would be to have a real device which onboards itself to Intune, so the whole flow is executed. However, such a setup isn't easy to achieve, to have a real device/VM reliably running all the time and somehow forced to re-onboard itself to Intune every few minutes, in sync with some other tool looking into what's going on on the CA. And then keeping it updated and all that.
(I wonder how this repository has been tested with the real Intune. Maybe there's some software emulator which can communicate to Intune and pretend to be a real device? It'd be great addition to this repository then.)
Another idea which we have tried - capture one real CSR from a real device and try to replay it.
Observations:
Relatively easy to set up, just sent a SCEP message to 3P SCEP server and check the response.
This CSR is valid for something like an hour, before the ChallengePassword is doomed expired.
After that ChallengeExpired is being returned by Intune, which is probably fine. We still can see that the SCEP server can connect to Intune, successfully call its API and receive a valid expected response.
In a few months the error code changes to SigningCertThumbprintMismatch with errorDescription: Signing certificate thumbprint does not match the one in the token. Intune Signing cert thumbprint(s): xxx do not match the signing cert thumbrpint in the CSR: yyy
It isn't clear how viable this approach is or how it can break going forward.
The last point isn't very clear as the error code doesn't seem to be documented. But it probably means that the ChallengePassword is signed by a signing certificate which is periodically rotated, and when it happens all previously generated ChallengePasswords stop being accepted. There's nothing in the public documentation about it, and there's no way to predict when such a rotation is going to take place next time.
Ask: a software solution which could be used to meaningfully test a 3P CA and Intune integration.
Hello,
Having a Third-party certification authority setup with Intune we want to have a means to smoke-test the whole setup end-to-end every few minutes, to make sure it's available when needed.
Specifically:
The obvious way would be to have a real device which onboards itself to Intune, so the whole flow is executed. However, such a setup isn't easy to achieve, to have a real device/VM reliably running all the time and somehow forced to re-onboard itself to Intune every few minutes, in sync with some other tool looking into what's going on on the CA. And then keeping it updated and all that.
(I wonder how this repository has been tested with the real Intune. Maybe there's some software emulator which can communicate to Intune and pretend to be a real device? It'd be great addition to this repository then.)
Another idea which we have tried - capture one real CSR from a real device and try to replay it.
Observations:
The last point isn't very clear as the error code doesn't seem to be documented. But it probably means that the ChallengePassword is signed by a signing certificate which is periodically rotated, and when it happens all previously generated ChallengePasswords stop being accepted. There's nothing in the public documentation about it, and there's no way to predict when such a rotation is going to take place next time.
Ask: a software solution which could be used to meaningfully test a 3P CA and Intune integration.