This payload can be used to enroll a certificate using the Simple Certificate Enrollment Protocol
In order to use this it is assumed that you have a SCEP server which can distribute a certificate for the devices which this payload is deployed to.
|Yes||Server URL||The base URL for the SCEP server.||http://scep.example.com:1640/pkiclient.exe|
The name of the instance: CA-IDENT
Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like example.org. If a certificate authority has multiple CA certificates this field can be used to distinguish which is required..
Representation of a X.500 name
Optional. The representation of a X.500 name represented as an array of OID and value.
|O=CapaSystems A/S, OU=Test|
Used as the pre-shared secret for automatic enrollment.
Optional. A pre-shared secret.
Key size in bits.
Optional. Currently always "RSA"..
|Use for digital signature and key encipherment||Optional. A bitmask indicating the use of the key. 1 is signing, 4 is encryption, 5 is both signing and encryption. Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time.|
|Subject Alternate Name Type|
The type of a subject alternate name
The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values.
|Fingerprint||HEX string to be used as fingerprint.|
|ONLY FOR IOS 12 OR NEWER|
|The number of times the device should retry||Defaults to 3|
|The number of seconds to wait between subsequent retries||The first retry is attempted without this delay. Defaults to 10.|
|If set, all apps have access to the privatekey|
Default is not set
|If not set, the private key cannot be exported from the keychain|
Default is set