Page tree
Skip to end of metadata
Go to start of metadata


This payload can be used to enroll a certificate using the Simple Certificate Enrollment Protocol

In order to use this it is assumed that you have a SCEP server which can distribute a certificate for the devices which this payload is deployed to.


YesServer URLThe base URL for the SCEP server.


The name of the instance: CA-IDENT

Optional. Any string that is understood by the SCEP server. For example, it could be a domain name like If a certificate authority has multiple CA certificates this field can be used to distinguish which is required..

My Certificate

Representation of a X.500 name

Optional. The representation of a X.500 name represented as an array of OID and value.
For example, /C=US/O=Apple Inc./CN=foo/, which would translate to: [ [ ["C", "US"] ], [ ["O", "Apple Inc."] ], ..., [ ["", "bar" ] ] ]
OIDs can be represented as dotted numbers, with shortcuts for country (C), locality (L), state (ST), organization (O), organizational unit (OU), and common name (CN)..

O=CapaSystems A/S, OU=Test


Used as the pre-shared secret for automatic enrollment.

Optional. A pre-shared secret.

YesKey Size

Key size in bits.
Optional. The key size in bits, either 1024 or 2048.

YesKey Type

Optional. Currently always "RSA"..


Use for digital signature and key enciphermentOptional. A bitmask indicating the use of the key. 1 is signing, 4 is encryption, 5 is both signing and encryption. Some certificate authorities, such as Windows CA, support only encryption or signing, but not both at the same time.

Subject Alternate Name Type

The type of a subject alternate name

The SCEP payload can specify an optional SubjectAltName dictionary that provides values required by the CA for issuing a certificate. You can specify a single string or an array of strings for each key. The values you specify depend on the CA you're using, but might include DNS name, URL, or email values.

FingerprintHEX string to be used as fingerprint.


The number of times the device should retryDefaults to 3

The number of seconds to wait between subsequent retriesThe first retry is attempted without this delay. Defaults to 10.

If set, all apps have access to the privatekey

Default is not set

If not set, the private key cannot be exported from the keychain

Default is set

 Read More

  • No labels