Enterprise users often require the use of cryptographic certificates to access enterprise resources. For example, users may require a certificate to verify their identities when logging onto or otherwise accessing a particular service. As another example, users may require a certificate to encrypt network communications between their client devices and enterprise services. These certificates are often provided by a certificate authority (CA), which can be managed by the enterprise.
A management agent provided by a third party, such as a enterprise mobility management (EMM) agent installed on a client device, can request certificates from the CA. For example, the EMM software can make a request using the simple certificate enrollment protocol (SCEP). This SCEP request can include credentials provided by a user to the EMM software to authenticate a user device with the CA. In response, the CA can determine that the client device is authorized to receive a certificate and can provide the certificate to the requesting device. However, in these implementations, a user's authentication credentials (e.g., a password) can be leaked to the third-party by virtue of the user having to provide their authentication credentials to the EMM software to receive a certificate from the CA.