Before you do anything else, you’ll need to add a SCEP provisioner to your new authority (new or existing). To do that,
Run the command to “Configure step to use this authority” under “Quick Actions” on your authority page. They will have you “bootstrap” to your new authority via the step CLI.
Then run these commands from your local terminal:
# create a decrypter provisioner
# this will ask you to provide a password used to protect the provisioner
step ca provisioner add decrypter --type JWK --create --x509-max-dur 8760h
# mint a decrypter cert
step ca certificate scep-decrypter decrypter.crt decrypter.key --kty RSA --size 3072 --not-after 8760h --provisioner decrypter
# create the SCEP provisioner
step ca provisioner add <name> --type SCEP --challenge <challenge> --scep-decrypter-key-file decrypter.key --scep-decrypter-certificate-file decrypter.crt --encryption-algorithm-identifier 2
Replace
<challenge>in the second command with a SCEP challenge secret (e.g., generated viahead /dev/urandom | shasumor whatever your favorite secret-generation-command is). Keep it somewhere safe because you’ll need it later
There is currently not a way to set up a RADIUS Server without first creating a Mobile Device collection. As “Windows” isn’t currently supported without Intune, we’ll just use the macOS device type and ignore the profile it generates.
In the Smallstep Dashboard, navigate to the Devices → Mobile Devices tab on the left of the screen.
Click Add Collection, and select the option for Any macOS, iPadOS, or iOS device from the list of platforms.
Make a new WiFi account.
And set up your WiFi and CA settings in the following screen.
Make sure to select the Certificate Authority with the SCEP provisioner created in step 1
This new WiFi account will be used to configure the Wifi profile in next steps.