Skip Navigation

Windows 10
: SCEP profile settings

Windows 10
: SCEP profile setting
User certificate store
This setting specifies whether the certificate is stored in the user certificates location on the device.
This setting specifies the subject for the certificate, if required for your organization's SCEP configuration. Type the subject in the format "/CN=
" If the profile is for multiple users, you can use a variable, for example: %UserDistinguishedName%.
SAN type
This setting specifies the subject alternative name type for the certificate, if it is required.
Possible values:
  • None
  • RFC 822 name
  • DNS name
  • Uniform resource identifier
The default value is "None."
SAN value
This setting specifies the alternative representation of the certificate subject. The value must be an email address, the DNS name of the CA server, or the fully qualified URL of the server.
The appropriate value for this setting depends on the value selected for the "SAN type" setting.
This setting specifies how many times to retry connecting to the SCEP service if the connection attempt fails.
The possible values are 1 to 999.
The default value is "3."
Retry delay
This setting specifies the time in seconds to wait before retrying to connect to the SCEP service.
The possible values are 1 to 999.
The default value is "10" seconds.
Key size
This setting specifies the key size for the certificate.
Possible values:
  • 1024
  • 2048
  • 4096
  • 8192
  • 16384
The default value is "1024."
Key usage
This setting specifies the cryptographic operations that can be performed using the public key that is contained in the certificate.
  • Digital signature
  • Non-repudiation
  • Key encipherment
  • Data encipherment
  • Key agreement
  • Key certificate signing
  • CRL signing
  • Encipher only
The default selections are "Key certificate signing" and "Encipher only."
Extended key usage
This setting specifies the purpose of the key that is contained in the certificate.
  • Server authentication
  • Client authentication
  • Code signing
  • Email protection
  • Time stamping
  • OCSP signing
  • Secure shell client
  • Secure shell server
The default selection is "Client authentication."
SCEP key storage
This setting specifies the storage location for the private key.
Possible values:
  • TPM
  • TPM if supported
  • KSP
The default value is "KSP."
Hash function
This setting specifies the hash function that a
Windows 10
device uses for the certificate enrollment request.
Possible values:
  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512
The default value is "SHA-1."
Certificate thumbprint
This setting specifies the hexadecimal-encoded hash of the root certificate for the CA. You can use the following algorithms to specify the thumbprint: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
Automatic renewal
This setting specifies how many days before a certificate expires that automatic certificate renewal occurs.
The possible values are 1 to 365.
The default value is "30."