New 2.8 features into the changelog

docs/advanced-configuration/application-settings/dc-validation.md

@@ -54,4 +54,4 @@ SCEPman Enterprise Edition only
 
 **Value:** _true_ or _false_ (default)
 
-**Description:** When requesting certificates via the DC endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them. If set to _false_ or not set, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere.
+**Description:** When requesting certificates via the DC endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them. If set to _false_, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere. If this is not set, the behavior depends on the global setting AppConfig:EnableCertificateStorage.

docs/advanced-configuration/application-settings/jamf-validation.md

@@ -16,76 +16,96 @@ Applicable to version 1.7 and above
 
 **True**: SCEPman listens at the additional SCEP server endpoint with the path `/jamf`. Use in conjunction with AppConfig:JamfValidation:RequestPassword. **False** (default): SCEPman does not issue certificates for Jamf.
 
-## AppConfig:JamfValidation:RequestPassword
+## AppConfig:JamfValidation:APIUsername
 
 {% hint style="info" %}
 Applicable to version 1.7 and above
 {% endhint %}
 
 **Value:** _String_
 
-**Description:** A challenge password (max 32 characters) that Jamf must include in every SCEP request to acquire a certificate. Only used if AppConfig:JamfValidation:Enabled is set to _true_.
+**Description:** The name of a service account in Jamf that SCEPman uses to authenticate on your Jamf instance. SCEPman needs the following permissions to query for computers, devices, and users:
 
-We recommend to define this setting as Secret in Azure Key Vault. The Secret must have the name _AppConfig--JamfValidation--RequestPassword_.
+* Computers -> Read
+* Mobile Devices -> Read
+* Users -> Read
 
-## AppConfig:JamfValidation:ValidityPeriodDays
+## AppConfig:JamfValidation:APIPassword
 
 {% hint style="info" %}
 Applicable to version 1.7 and above
 {% endhint %}
 
-**Value:** Positive _Integer_
+**Value:** _String_
 
-**Description:** This setting further reduces the global ValidityPeriodDays for the Jamf endpoint.
+**Description:** The password of the service account configured in AppConfig:JamfValidation:APIUsername.
 
-## AppConfig:JamfValidation:URL
+We recommend to define this setting as Secret in Azure Key Vault. The Secret must have the name _AppConfig--JamfValidation--APIPassword_.
 
 {% hint style="info" %}
-Applicable to version 1.7 and above
+If you set this setting as a Secret in the Key Vault, you do not need to add the **AppConfig:JamfValidation:APIPassword** to SCEPman configuration anymore.
 {% endhint %}
 
-**Value:** _String_
+## AppConfig:JamfValidation:DefaultEkus
 
-**Description:** The root URL of your Jamf instance. If you use Jamf Cloud, this will probably look like `https://your-instance.jamfcloud.com/`.
+{% hint style="info" %}
+Applicable to version 2.8 and above
+{% endhint %}
 
-## AppConfig:JamfValidation:APIUsername
+**Value:** Oids of the extended key usages (EKUs) that are added to the certificate if the Jamf endpoint is used. The Oids are separated by a comma, semicolon, or space. The default is Client Authentication (1.3.6.1.5.5.7.3.2)
+
+**Description:** If a certificate request does not contain any EKUs, SCEPman adds the EKUs defined in this setting to the certificate. Currently, Jamf never adds EKUs to the certificate request, so all certificates enrolled through Jamf will have the EKUs defined in this setting. If AppConfig:UseRequestedKeyUsages is set to _false_, the EKUs defined in this setting will be added to the certificate even if the certificate request contains EKUs.
+
+## AppConfig:JamfValidation:DefaultKeyUsage
 
 {% hint style="info" %}
-Applicable to version 1.7 and above
+Applicable to version 2.8 and above
 {% endhint %}
 
-**Value:** _String_
+**Value:** EncipherOnly|CrlSign|KeyCertSign|KeyAgreement|DataEncipherment|*KeyEncipherment*|NonRepudiation|*DigitalSignature*|DecipherOnly (defaults are in *italic*)
 
-**Description:** The name of a service account in Jamf that SCEPman uses to authenticate on your Jamf instance. SCEPman needs the following permissions to query for computers, devices, and users:
+**Description:** If a certificate request does not contain a Key Usage, SCEPman adds the Key Usage defined in this setting to the certificate. If AppConfig:UseRequestedKeyUsages is set to _false_, the Key Usage defined in this setting will be added to the certificate even if the certificate request contains a Key Usage.
 
-* Computers -> Read
-* Mobile Devices -> Read
-* Users -> Read
+## AppConfig:JamfValidation:EnableCertificateStorage
 
-## AppConfig:JamfValidation:APIPassword
+{% hint style="info" %}
+Applicable to version 2.3 and above
+
+SCEPman Enterprise Edition only
+{% endhint %}
+
+**Value:** _true_ or _false_ (default)
+
+**Description:** When requesting certificates via the Jamf endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically if the corresponding Jamf object is deleted. If set to _false_, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere. If this is not set, the behavior depends on the global setting AppConfig:EnableCertificateStorage.
+
+## AppConfig:JamfValidation:RequestPassword
 
 {% hint style="info" %}
 Applicable to version 1.7 and above
 {% endhint %}
 
 **Value:** _String_
 
-**Description:** The password of the service account configured in AppConfig:JamfValidation:APIUsername.
+**Description:** A challenge password (max 32 characters) that Jamf must include in every SCEP request to acquire a certificate. Only used if AppConfig:JamfValidation:Enabled is set to _true_.
 
-We recommend to define this setting as Secret in Azure Key Vault. The Secret must have the name _AppConfig--JamfValidation--APIPassword_.
+We recommend to define this setting as Secret in Azure Key Vault. The Secret must have the name _AppConfig--JamfValidation--RequestPassword_.
+
+## AppConfig:JamfValidation:ValidityPeriodDays
 
 {% hint style="info" %}
-If you set this setting as a Secret in the Key Vault, you do not need to add the **AppConfig:JamfValidation:APIPassword** to SCEPman configuration anymore.
+Applicable to version 1.7 and above
 {% endhint %}
 
-## AppConfig:JamfValidation:EnableCertificateStorage
+**Value:** Positive _Integer_
 
-{% hint style="info" %}
-Applicable to version 2.3 and above
+**Description:** This setting further reduces the global ValidityPeriodDays for the Jamf endpoint.
 
-SCEPman Enterprise Edition only
+## AppConfig:JamfValidation:URL
+
+{% hint style="info" %}
+Applicable to version 1.7 and above
 {% endhint %}
 
-**Value:** _true_ or _false_ (default)
+**Value:** _String_
 
-**Description:** When requesting certificates via the Jamf endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically if the corresponding Jamf object is deleted. If set to _false_ or not set, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere.
+**Description:** The root URL of your Jamf instance. If you use Jamf Cloud, this will probably look like `https://your-instance.jamfcloud.com/`.

docs/advanced-configuration/application-settings/static-validation.md

@@ -16,6 +16,26 @@ Applicable to version 1.6 and above
 
 **True**: SCEPman listens at the additional SCEP server endpoint with the path `/static`. Use in conjunction with AppConfig:StaticValidation:RequestPassword. **False** (default): SCEPman does not issue certificates for 3rd-party MDM systems (i.e. other than Intune and JAMF).
 
+## AppConfig:StaticValidation:DefaultEkus
+
+{% hint style="info" %}
+Applicable to version 2.8 and above
+{% endhint %}
+
+**Value:** Oids of the extended key usages (EKUs) that are added to the certificate if the Jamf endpoint is used. The Oids are separated by a comma, semicolon, or space. The default is Client Authentication (1.3.6.1.5.5.7.3.2)
+
+**Description:** If a certificate request does not contain any EKUs, SCEPman adds the EKUs defined in this setting to the certificate. If AppConfig:UseRequestedKeyUsages is set to _false_, the EKUs defined in this setting will be added to the certificate even if the certificate request contains EKUs.
+
+## AppConfig:StaticValidation:DefaultKeyUsage
+
+{% hint style="info" %}
+Applicable to version 2.8 and above
+{% endhint %}
+
+**Value:** EncipherOnly|CrlSign|KeyCertSign|KeyAgreement|DataEncipherment|*KeyEncipherment*|NonRepudiation|*DigitalSignature*|DecipherOnly (defaults are in *italic*)
+
+**Description:** If a certificate request does not contain a Key Usage, SCEPman adds the Key Usage defined in this setting to the certificate. If AppConfig:UseRequestedKeyUsages is set to _false_, the Key Usage defined in this setting will be added to the certificate even if the certificate request contains a Key Usage.
+
 ## AppConfig:StaticValidation:RequestPassword
 
 {% hint style="info" %}
@@ -48,4 +68,4 @@ SCEPman Enterprise Edition only
 
 **Value:** _true_ or _false_ (default)
 
-**Description:** When requesting certificates via the static endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them. If set to _false_ or not set, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere.
+**Description:** When requesting certificates via the static endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them. If set to _false_, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere. If this is not set, the behavior depends on the global setting AppConfig:EnableCertificateStorage.

docs/advanced-configuration/application-settings/staticaad-validation.md

@@ -16,6 +16,27 @@ Applicable to version 2.2 and above
 
 **True**: SCEPman listens at the additional SCEP server endpoint with the path `/static/aad`. Use in conjunction with AppConfig:StaticAADValidation:RequestPassword. **False** (default): SCEPman does not issue AAD-bound certificates for 3rd-party MDM systems.
 
+## AppConfig:StaticAADValidation:DefaultEkus
+
+{% hint style="info" %}
+Applicable to version 2.8 and above
+{% endhint %}
+
+**Value:** Oids of the extended key usages (EKUs) that are added to the certificate if the Jamf endpoint is used. The Oids are separated by a comma, semicolon, or space. The default is Client Authentication (1.3.6.1.5.5.7.3.2)
+
+**Description:** If a certificate request does not contain any EKUs, SCEPman adds the EKUs defined in this setting to the certificate. If AppConfig:UseRequestedKeyUsages is set to _false_, the EKUs defined in this setting will be added to the certificate even if the certificate request contains EKUs.
+
+## AppConfig:StaticAADValidation:DefaultKeyUsage
+
+{% hint style="info" %}
+Applicable to version 2.8 and above
+{% endhint %}
+
+**Value:** EncipherOnly|CrlSign|KeyCertSign|KeyAgreement|DataEncipherment|*KeyEncipherment*|NonRepudiation|*DigitalSignature*|DecipherOnly (defaults are in *italic*)
+
+**Description:** If a certificate request does not contain a Key Usage, SCEPman adds the Key Usage defined in this setting to the certificate. If AppConfig:UseRequestedKeyUsages is set to _false_, the Key Usage defined in this setting will be added to the certificate even if the certificate request contains a Key Usage.
+
+
 ## AppConfig:StaticAADValidation:RequestPassword
 
 {% hint style="info" %}
@@ -48,4 +69,4 @@ SCEPman Enterprise Edition only
 
 **Value:** _true_ or _false_ (default)
 
-**Description:** When requesting certificates via the StaticAAD endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically if the corresponding AAD object is disabled or deleted. If set to _false_ or not set, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere.
+**Description:** When requesting certificates via the StaticAAD endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically if the corresponding AAD object is disabled or deleted. If set to _false_, SCEPman will not store issued certificates and the certificates are visible only in the logs or if the SCEP client stores them somewhere. If this is not set, the behavior depends on the global setting AppConfig:EnableCertificateStorage.

docs/changelog.md

@@ -4,8 +4,26 @@
 
 ### 2.8 - Currently in Internal and Beta Channel
 
+#### SCEPman 2.8.1126
+
+* Improvements to OCSP response times
+* Logging improvements
+  * Tweaking of log levels to better emphasize important information
+  * Additional information about certificate revocations
+  * Less log clutter
+  * A transaction ID in the logs allows to correlate log entries that belong to the same SCEP or OCSP request
+* Configure default Extended Key Usages (EKUs) and Key Usages for each SCEP endpoint, e.g. if you want to enroll smart-card authentication certificates through [Jamf](advanced-configuration/application-settings/jamf-validation.md#appconfigjamfvalidationdefaultekus)
+* Update to .NET 8
+* Library updates
+  * Including the update of Azure.Identity to 1.11, fixing [CVE-2024-29992](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29992). Currently, the exploit is not publicly disclosed, so the scope of the issue is unclear, but the published information indicates that SCEPman is likely not affected.
+* Small improvements, including:
+  * Use a Managed Identity when logging to Azure Event Hub
+
 #### Certificate Master 2.8
 
+* Update to .NET 8
+* Libary updates
+  * Including the update of Azure.Identity to 1.11, fixing [CVE-2024-29992](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29992). Currently, the exploit is not publicly disclosed, so the scope of the issue is unclear, but the published information indicates that SCEPman is likely not affected.
 * Fixed a bug where the certificates were not displayed when there was a certificate in the list without CN field.
 
 ### 2.7 - February 2024

docs/scepman-configuration/optional/application-settings/basics.md

@@ -36,6 +36,24 @@ You can send Debug log information to a cloud-based monitoring solution of our c
 Do not forget to restart SCEPman App Service after enabling and saving the setting.
 {% endhint %}
 
+## AppConfig:CertificateStorage:TableStorageEndpoint
+
+This defines which Table Storage Endpoint to use for checking manual certificate revocations. If you remove this setting, SCEPman will not use the database for revocation checks.
+
+{% hint style="danger" %}
+Changes can harm your service!
+{% endhint %}
+
+## AppConfig:EnableCertificateStorage
+
+{% hint style="info" %}
+Applicable to version 2.8 and above
+{% endhint %}
+
+**Value:** _true_ or _false_ (default)
+
+**Description:** When requesting certificates, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_ and when this setting is not explictly overriden with _false_ for the specific endpoint. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically depending on the specific SCEP endpoint used for enrollment. If set to _false_ or not set, SCEPman will only store issued certificates for those endpoint where certificate storage has been explicitly enabled. If a certificate is not stored,they are visible only in the logs or if the SCEP client stores them somewhere.
+
 ## WEBSITE\_RUN\_FROM\_PACKAGE
 
 This setting points to the Application Artifacts that will be loaded by starting the App Service.\

docs/scepman-configuration/optional/application-settings/csr-validation.md

@@ -8,14 +8,6 @@ Applicable to version 2.0 and above
 SCEPman Enterprise Edition only
 {% endhint %}
 
-## AppConfig:CertificateStorage:TableStorageEndpoint
-
-This defines which Table Storage Endpoint to use for checking manual certificate revocations. If you remove this setting, SCEPman will not use the database for revocation checks.
-
-{% hint style="danger" %}
-Changes can harm your service!
-{% endhint %}
-
 ## AppConfig:CertMaster:URL
 
 **Value:** The URL of your SCEPman Certificate Master App Service

docs/scepman-configuration/optional/application-settings/intune-validation.md

@@ -152,4 +152,4 @@ SCEPman Enterprise Edition only
 
 **Value:** _true_ or _false_ (default)
 
-**Description:** When requesting certificates via the Intune endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically when the associated Entra or Intune object goes into an invalid state as specified by the other settings (like being disabled or deleted). If set to _false_ or not set, SCEPman will not store issued certificates and the certificates are visible only in the logs or in the classic Intune view on Certificate Master or the Intune portal.
+**Description:** When requesting certificates via the Intune endpoint, SCEPman stores those requested certificates in the Storage Account in Azure if this is set to _true_. This will make the issued certificates appear in SCEPman Certificate Master, where you can view and revoke them manually. Additionally, certificates are revoked automatically when the associated Entra or Intune object goes into an invalid state as specified by the other settings (like being disabled or deleted). If set to _false_, SCEPman will not store issued certificates and the certificates are visible only in the logs or in the classic Intune view on Certificate Master or the Intune portal. If this is not set, the behavior depends on the global setting AppConfig:EnableCertificateStorage.