Skip to main content

Search

Cloudi-Fi Knowledge Base

How to configure Cloudi-Fi CA certificate as an authentication provider

Alexandre de THOMASSON
  • Updated

Set up the Cloudi-Fi Certificate Authority (CA) certificate as an authentication provider in Cloudi-Fi Cloud NAC. This allows you to create and manage your PKI directly within Cloudi-Fi and generate user certificates for network authentication.

 

Prerequisites

To complete this configuration, to enable the Cloudi-Fi PKI feature for your tenant, you must first contact your Cloudi-Fi representative.  For assistance, please reach out to your Sales Engineer.

 

1. Add a new authentication provider

In the Cloudi-Fi admin console, navigate to Network > NAC Providers.

Click Add NAC provider.

From the list of authentication methods, select Cloudi-Fi as Certificate authority.

 

2. Configure your Central Authority (CA)

Set the following X.509 certificate attributes

  • Common name (CN) i.e. the name of the CA itself (for instance : MyCompany Root CA)
  • Organisation (O) i.e. the legal name of the company or entity that owns the certificate (for instance : Example Corporation, ACME Ltd., City of Springfield)
  • Organisation Unit (OU) i.e. a department or division within the organization. (for instance : IT Department, Security,  Engineering)
  • Country 
  • Stat/Province (ST) i.e. the full name of the state, province, region, or administrative area. (for instance : California, Île-de-France, Bavaria)
  • Locality (L) i.e. the city or town where your organization is legally located (for instance : San Francisco, Paris, Munich)

3. Configure the SCEP

Simple Certificate Enrollment Protocol (SCEP) is a protocol used to automate the process of requesting, issuing, and managing digital certificates for network devices.

SCEP is is primarily used to simplify and scale certificate enrolment. Without SCEP, obtaining a device certificate typically requires manually generating a CSR (Certificate Signing Request), submitting it to a Certificate Authority (CA), and then manually installing the certificate. SCEP automates this entire process, making it essential for large-scale deployments managed by Mobile Device Management (MDM) systems.

How it Works

  • Device or MDM requests a certificate from a CA using SCEP.
  • The CA verifies the request (often using a shared secret or pre-installed credentials).
  • The CA issues a certificate and sends it back to the device.

 

Next, select your Connector Type. The connector acts as a secure bridge between your management system (such as Intune) and the Cloudi-Fi Certificate Authority (CA), handling the automated SCEP certificate requests.

  • Intune Connector:

    • This connector is specifically designed for Microsoft Intune.

    • Devices managed by Intune (including Windows, iOS, and Android) use this connector to request certificates automatically from the Cloudi-Fi CA.

    • It typically handles the challenge password securely and automatically.

  • Generic Connector:

    • This is a more standard or manual connector, not tied specifically to Intune.

    • It is useful for non-Intune MDM systems or custom device management setups that support the SCEP protocol.

    • Requires manual configuration of the Challenge Password.

For Generic connector, you will have to define the challenge password. The challenge password is this secret key that proves the device is authorized to get a certificate. Without it, anyone could request certificates from your CA.

  • Static : A predefined secret that is the same for all devices. Simple to configure, but less secure if the secret leaks. Often used in small environments.
  • Dynamic : A unique secret per device or per enrolment session, often generated on the fly.
    More secure because each request has a different secret. 

For Intune connector, please complete the following parameters

  • Application (Client) ID i.e. the unique identifier of the Azure AD application that Intune uses to authenticate with Azure.
    • Where it comes from: When you register an app in Azure AD (or when Intune automatically creates one for SCEP), this app has a GUID called the Application (Client) ID.
    • Format: A GUID, like 12345678-90ab-cdef-1234-567890abcdef.
  • Directory (Tenant) ID i.e the unique identifier of your Azure AD tenant—basically your organization's instance in Azure AD.
    • Where it comes from: You can find it in Azure AD → Overview → Tenant ID.
    • Format: Also a GUID, like abcdef12-3456-7890-abcd-ef1234567890.

3. Complete the creation of your CA

Then click on Save to complete the creation of your CA

 

4. Get your CA parameters

Then, you can easily download your CA's root certificate or view its parameters (for example, to configure SCEP).

Once the configuration is complete, Cloudi-Fi Cloud NAC will begin validating device certificates against the created CA certificate.