pdf icon
Category Filter
x

Certificate Management

While passwords are commonly used for security and authentication purposes, many organizations now prefer using digitally signed certificates to authenticate the users before accessing the Exchange server, Wi-Fi, VPN etc. as it reduces the chances of forgotten passwords and numerous password resets. Mobile Device Manager Plus MSP (MDM) simplifies the creation, distribution and renewal of digitally signed certificates.

There are two types of commonly used certificates:

Trust certificates

Admins use a single certificate which can be used to authenticate all the users in the organization. This trust certificate can be used by all the employees to authenticate the device while accessing their Exchange accounts and connecting to the Wi-fi or VPN.

To allow the users to authenticate their devices, the certificate must be present on the device. This can be done by distributing the certificate using MDM.

User-specific certificates

Organizations integrate with a Certificate Authority (CA) that is responsible for issuing certificates and creates a certificate for every user in the organization. The CA authority when integrated with MDM, creates and distributes individual certificates for all the users accessing their Exchange accounts, Wi-fi or VPN.

MDM allows organizations to manage both trust and user-specific certificates with it's Certificate Management capabilities.

Adding certificates to the MDM server

Admins can upload the required certificates on the MDM server and distribute it to managed devices. MDM also maintains the expiry details to ensure the certificates are renewed regularly.

Follow the steps given below to add certificates to the MDM server:

  • On the MDM console, navigate to Device Mgmt -> Certificates
  • In the Certificates tab, click on Add Certificates
  • Upload the certificate file, and provide a password if applicable.
  • Click on Add Certificate

Once the certificate is successfully added, the details such as expiry date, issuer name, the devices or groups the certificates are distributed to will be available on the MDM console. You can add multiple certificates by following the same steps.

Distributing certificates to Groups/devices

Once the certificates are added to the MDM server, they can be installed on devices by either distributing them to Groups or to the respective devices.

Follow the steps given below to distribute certificates to Groups/devices:

  • Navigate to Device Mgmt -> Profiles
  • Click on Create Profile and select the OS for which you want to create the profile.
  • Select the policy, for which certificate based authentication needs to be configured. MDM supports certificate based authentication for Wi-Fi, VPN, Exchange ActiveSync, Email and Enterprise SSO (iOS specific feature).
  • Provide the required details and for the Certificates option, select any of the certificates listed. You can also add new certificates from the same view.

Integrating CA servers with MDM

For generating user-specific certificates, MDM must be integrated with the CA server to dynamically create certificates for the users.

MDM allows admins to integrate with CA servers with the help of a Simple Certificate Enrollment Protocol (SCEP) server.

Configuring SCEP in MDM

To configure SCEP in MDM, first ensure the required pre-requisites are met. For the list of pre-requisites and the steps to configure them, refer this document.

Follow the steps given below to configure SCEP in MDM

  • On the MDM console, navigate to Device Mgmt -> Certificates
  • Click on the CA Servers tab and click on Add CA server
  • Provide the following details:
Profile Specification Description
Certificate Authority Name Specify the name of the Certificate Authority issuing certificates.
Server URL The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the SCEP server is within the organization network and not exposed to external networks. The certificate is requested through this URL.
For NDES, the server URL format: http://<your-server>/CertSrv/mscep/mscep.dll
Thumbprint of CA Certificate The thumbprint of CA certificate is a unique identifier of the CA certificate. This information is available in the CA server and is not mandatory.

Creating templates for the CA servers

For creating user-specific certificates, a template needs to be configured based on which all the certificates will be issued by the CA.

Follow the steps given below to configure the template on MDM:

  • On the MDM console, navigate to Device Mgmt -> Certificates.
  • Click on Templates tab and click on Add Templates
  • Provide the following details:

<

Profile Specification Description
Subject Specify the details (%username%, %email%, %domainname%,%devicename%) to map the corresponding details in the device.
Subject Alternative Name Type Specify the alternate details(RFC 822 Name, DNS Name, Uniform Resource Identifier).
Subject Alternative Name Type Value (Can be configured only if Subject Alternative Name Type is configured) Specify the value for alternative name type.
NT Principal Name Specify the NT Principal Name used in the organization.
Maximum Number of Failed Attempts Maximum number of attempts to obtain the certificate from the CA.
Time interval between attempts Time to wait before subsequent attempts to obtain certificate
Challenge Type A pre-shared secret key provided by the CA, which adds additional layer of security
Enrollment Challenge Password Provide the challenge password to be used. Challenge Password can be identified as explained here.
Key Size Specify whether the key is 1024 or 2048 bits
Use as Digital Signature Enabling ensures the certificate can be used as Digital Signature
Use for Key Encipherment Enabling ensures the certificate can be used as Key Encipherment
Certificate Auto Renewal Enabling ensures the certificates are renewed immediately upon expiry.

Modifying or Renewing Certificates

p>Most certificates require regular renewal and MDM intimates the admin about managed certificates that are about to expire, on the MDM console. The renewed certificates can be uploaded by following the steps given below:

 

  • Select the certificate to be updated, and click on Modify.
  • Upload the renewed certificate and click on the Modify Certificate button to upload the new certificate.
  • This will automatically update the certificate on the profiles it was previously associated to.

Admins can choose to manually re-distribute the updated profiles to devices or automate the process by enabling the option Automatically re-distribute modified profiles to devices while uploading the new certificate.

Jump To

    Related Articles