Integrating EJBCA server with MDM
EJBCA is an open source certificate authority (CA) that issues and manages user certificates, helping you assure compliance. Through validating your digital identity, it also helps you secure your corporate data and assets. Mobile Device Manager Plus (MDM) integrates with EJBCA to simplify the creation, distribution and renewal of digitally signed certificates.
By integrating EJBCA with Mobile Device Manager Plus, organizations can dynamically create certificates for users and provide passwordless authentication on mobile devices. IT admins can also automate the renewal of certificates to avoid service disruptions, security breaches, and non-compliance.
To set up the EJBCA server, refer the EJBCA documentation.
Configuring EJBCA in MDM
Follow the steps given below to configure EJBCA in MDM
- On the MDM console, navigate to Device Mgmt -> Certificates
- Click on the CA Servers tab and click on Add CA server
- Provide the following details:
|Server Type||Specify server type as EJBCA.|
|Certificate Authority Name||Specify the name of the Certificate Authority issuing certificates.|
|Server URL||The URL to be specified in the device to obtain certificate. Provide HTTP Server URL, if the server is within the organization network and not exposed to external networks. The certificate is requested through this URL.|
|Add CA Certificate||Upload the Certificate Authority's certificate|
Creating templates for the CA servers
For creating user-specific certificates, a template needs to be configured based on which all the certificates will be issued by the CA.
Follow the steps given below to configure the template on MDM:
- On the MDM console, navigate to Device Mgmt -> Certificates.
- Click on Templates tab and click on Add Templates
- Select the server to which the template belongs. In this case, select the EJBCA server that was previously added.
- Provide the following details:
|Certificate Template Name||Specify the certificate template name.|
|Subject||Specify the Subject DN that needs to be present in the certificate. You can use dynamic keys such as %username%, %email%, %firstname% to fetch the the corresponding details mapped to the device. For instance, you can specify C=US,O=Zylker,OU=Zylker,CN=%firstname%.|
|Subject Alternative Name Type||Specify one of the following values, None, RFC 822 Name, DNS Name or Uniform Resource Identifier for the subject alternative name type.|
|Subject Alternative Name Value (Can be configured only if Subject Alternative Name Type is configured)||Specify a value for subject alternative name value. The value to be entered can include DNS name, URI or email. For instance, you can use the dynamic key %email% for subject alternative name value email.|
|NT Principal Name||Specify the NT Principal Name used in the organization.|
|Maximum number of failed attempts||Specify the maximum number of failed validation attempts allowed to obtain the certificate from the CA. Once the maximum limit is exceeded, users will be temporarily restrcted from attempting to vaildate the user account.|
|Time interval between attempts||Time to wait before subsequent attempts to obtain the certificate|
|Challenge Type||A pre-shared secret key provided by the CA, which adds additional layer of security. If Static is chosen, the challenge password will be submitted to the SCEP server for authentication. If None is chosen, no authentication is requested by the SCEP server and any device can receive the certificate by accessing the SCEP URL.|
|Enrollment Challenge Password (Can be configured only if Static challenge type is selected)||Provide the challenge password to be used. All the devices will use the specified password for authentication.|
|Key Size||Specify whether the key is 1024 or 2048 bits|
|Use as Digital Signature||Enabling this ensures the certificate can be used for Digital Signature|
|Use for Key Encipherment||Enabling this ensures the certificate can be used for Key Encipherment|
|Certificate Auto Renewal||Enabling this ensures the certificates are renewed immediately upon expiry.|
|Certificate Automatic Renewal Before||Specify the number of days before which the the certificate must be auto-renewed.|
Creating a SCEP profile
To distribute certificates to managed devices, a SCEP profile need to associated with these devices. Follow the steps given below to create and associate the SCEP profile to devices
- Navigate to Device Mgmt -> Profiles and create either an Apple, Android or Windows profile.
- Select SCEP from the left pane.
- Select the created Certificate template.
- Click on Save and publish the profile.
It is recommended to distribute the profile to a device for testing before distributing it to your production environment. Once testing is complete, you can distribute the profile to your production environment using Groups.