Understanding device certificates

Device certificates are used to authenticate devices and secure communications between them.

In addition to providing a centralized view of device certificates and certificate details, SCM enables appropriately privileged administrators to do the following:

Manage certificate lifecycles — Request and revoke device certificates.
Manage certificate requests — Approve and decline device certificate requests.
Download certificates — Download device certificates in various formats.

Device certificates can be managed on the Certificates Device Certificates page.

The following table describes the settings and controls of the Device Certificates page.

Column Description

Column	Description
ID	The unique numeric identifier of the certificate.
Status	The status of the certificate. The possible values are: Requested — The certificate request has been received in SCM and is awaiting approval. Approved — The certificate request has been approved in SCM and is awaiting certificate authority (CA) issuance. Applied — The certificate request is being processed by the CA. Issued — The certificate has been issued. Expired — The certificate has expired. Declined — The certificate request has been declined by an administrator. Rejected — The certificate request has been rejected by the CA because of one or more issues. Revoked — The certificate has been revoked.
Common name	The common name provided in the certificate request.
Order number	The unique identifier created by the issuing CA to represent the certificate request.
Certificate profile	The certificate profile used for the certificate request.
Term	The validity period of the certificate.
Requested via	The method used to request the certificate or to bring it into SCM. The possible values are: Admin — The certificate was requested by an administrator using the built-in enrollment wizard in SCM. Discovery — The certificate was discovered during a scan and brought into SCM for management. EST — The certificate was requested using an Enrollment over Secure Transport (EST) protocol endpoint. Enrollment Form — The certificate was requested using an external enrollment form. MS Agent — The certificate was requested using an MS agent. REST API — The certificate was requested using the REST API endpoint. SCEP — The certificate was requested using a Simple Certificate Enrollment Protocol (SCEP) endpoint. Web API — The certificate was requested using the Web API.
Organization	The organization that requested or has been issued the certificate.
Department	The department, if any, that requested or has been issued the certificate.
Requester	The email address of the end-user, or the name of the administrator who requested the certificate.
Approver	The name of the administrator who approved the certificate request.
Subject	The entity (such as a device or organization) identified by the certificate, containing unique attributes that distinguish it from others.
Subject alt name	Additional names or attributes that identify the entity associated with the certificate. This can include alternative device names, IP addresses, MAC addresses, or other identifiers relevant to device certificates.
Issuer	The name of the certificate and the issuing CA.
Expires	The date that the certificate expires.
Serial number	A unique serial number assigned to the certificate.
Key usage	The cryptographic operations that the certificate is valid for.
Extended key usage	Additional cryptographic operations that the certificate is valid for.
Key algorithm	The algorithm used to generate the key pair.
Key size / curve	The size of the key pair or the curve used to generate the key pair.
Signature algorithm	The algorithm used to sign the certificate.
MD5 hash	The MD5 hash (thumbprint/fingerprint) of the certificate.
SHA1 hash	The SHA1 hash (thumbprint/fingerprint) of the certificate.
Comments	Comments or notes about the certificate.
Requested	The date that the certificate was requested.
Approved	The date that the certificate was approved.
Declined	The date that the certificate request was declined.
Issued	The date that the certificate was issued.
Downloaded	The date that the certificate was downloaded.
Revoked	The date that the certificate was revoked.
Replaced	The date that the certificate was replaced.
External requester	The email address of any external requester(s). This is either manually entered by an administrator requesting the certificate on behalf of an external user, or populated with email address(es) found in the Subject DN (Email field) and/or Subject Alternative Name (SAN) extension during certificate discovery.
Table controls
Filter	Enables you to sort the table information using custom filters.
Group	Enables you to sort the table information using predefined groups.
Refresh	Refreshes the information presented in the table.
Download CSV	Downloads the table information as a `.csv` file.
Manage Columns	Enables you to select which table columns to display.
Admin controls
Add	Opens the Request Device Certificate dialog where you can request a new certificate.
Delete	Opens the Delete Certificate dialog where you can delete the certificate entry from SCM.
View	Opens the Device Certificate page where you can view certificate details and perform various administrative tasks (such as, resending collection emails or downloading the certificate).
Approve	Opens the Approve Message dialog where you can approve the certificate request.
Decline	Opens the Decline Message dialog where you can decline the certificate request.
Revoke	Opens the Revocation Reason dialog where you can revoke the certificate.
View Audit	Opens the Certificate Audit page where you can view or download audit logs.

The unique numeric identifier of the certificate.

Status

The status of the certificate.

The possible values are:

Requested — The certificate request has been received in SCM and is awaiting approval.
Approved — The certificate request has been approved in SCM and is awaiting certificate authority (CA) issuance.
Applied — The certificate request is being processed by the CA.
Issued — The certificate has been issued.
Expired — The certificate has expired.
Declined — The certificate request has been declined by an administrator.
Rejected — The certificate request has been rejected by the CA because of one or more issues.
Revoked — The certificate has been revoked.

Common name

The common name provided in the certificate request.

Order number

The unique identifier created by the issuing CA to represent the certificate request.

Certificate profile

The certificate profile used for the certificate request.

Term

The validity period of the certificate.

Requested via

The method used to request the certificate or to bring it into SCM.

The possible values are:

Admin — The certificate was requested by an administrator using the built-in enrollment wizard in SCM.
Discovery — The certificate was discovered during a scan and brought into SCM for management.
EST — The certificate was requested using an Enrollment over Secure Transport (EST) protocol endpoint.
Enrollment Form — The certificate was requested using an external enrollment form.
MS Agent — The certificate was requested using an MS agent.
REST API — The certificate was requested using the REST API endpoint.
SCEP — The certificate was requested using a Simple Certificate Enrollment Protocol (SCEP) endpoint.
Web API — The certificate was requested using the Web API.

Organization

The organization that requested or has been issued the certificate.

Department

The department, if any, that requested or has been issued the certificate.

Requester

The email address of the end-user, or the name of the administrator who requested the certificate.

Approver

The name of the administrator who approved the certificate request.

Subject

The entity (such as a device or organization) identified by the certificate, containing unique attributes that distinguish it from others.

Subject alt name

Additional names or attributes that identify the entity associated with the certificate. This can include alternative device names, IP addresses, MAC addresses, or other identifiers relevant to device certificates.

Issuer

The name of the certificate and the issuing CA.

Expires

The date that the certificate expires.

Serial number

A unique serial number assigned to the certificate.

Key usage

The cryptographic operations that the certificate is valid for.

Extended key usage

Additional cryptographic operations that the certificate is valid for.

Key algorithm

The algorithm used to generate the key pair.

Key size / curve

The size of the key pair or the curve used to generate the key pair.

Signature algorithm

The algorithm used to sign the certificate.

MD5 hash

The MD5 hash (thumbprint/fingerprint) of the certificate.

SHA1 hash

The SHA1 hash (thumbprint/fingerprint) of the certificate.

Comments

Comments or notes about the certificate.

Requested

The date that the certificate was requested.

Approved

The date that the certificate was approved.

Declined

The date that the certificate request was declined.

Issued

The date that the certificate was issued.

Downloaded

The date that the certificate was downloaded.

Revoked

The date that the certificate was revoked.

Replaced

The date that the certificate was replaced.

External requester

The email address of any external requester(s). This is either manually entered by an administrator requesting the certificate on behalf of an external user, or populated with email address(es) found in the Subject DN (Email field) and/or Subject Alternative Name (SAN) extension during certificate discovery.

Table controls

Filter

Enables you to sort the table information using custom filters.

Group

Enables you to sort the table information using predefined groups.

Refresh

Refreshes the information presented in the table.

Download CSV

Downloads the table information as a .csv file.

Manage Columns

Enables you to select which table columns to display.

Admin controls

Add

Opens the Request Device Certificate dialog where you can request a new certificate.

Delete

Opens the Delete Certificate dialog where you can delete the certificate entry from SCM.

View

Opens the Device Certificate page where you can view certificate details and perform various administrative tasks (such as, resending collection emails or downloading the certificate).

Approve

Opens the Approve Message dialog where you can approve the certificate request.

Decline

Opens the Decline Message dialog where you can decline the certificate request.

Revoke

Opens the Revocation Reason dialog where you can revoke the certificate.

View Audit

Opens the Certificate Audit page where you can view or download audit logs.

Enrollment methods

SCM supports the enrollment of device certificates using the following methods:

Enrollment Wizard — Enroll device certificates through the SCM enrollment wizard. For more information, see Enroll a device certificate in SCM.
Self-Enrollment — Manually enroll device certificates using a self-enrollment form outside of SCM. For more information, see Understanding enrollment forms.
MS agent — Enroll device certificates through Microsoft Active Directory Certificate Services (AD CS) using a configured SCM MS agent. For more information, see Understanding MS agents.
EST — Enroll device certificates through the Enrollment over Secure Transport (EST) protocol using a configured SCM EST endpoint. For more information, see Understanding EST endpoints.
SCEP — Enroll device certificates through the Simple Certificate Enrollment Protocol (SCEP) using a configured SCM SCEP endpoint. For more information, see Understanding SCEP endpoints.
REST API — Enroll device certificates through the SCM REST API using a configured SCM REST API endpoint. For more information, see Understanding REST endpoints.
Admin API — Enroll device certificates through the SCM Admin API using a configured SCM API Admin. For more information, see Understanding administrators.
CA connector — Enroll device certificates through a third-party CA using a configured SCM CA connector. For more information, see Understanding CA connectors.