Managing DigiCert Certificates with Mobile Device Manager Plus
DigiCert is a certificate authority (CA) that issues certificates to mobile devices for enhanced app and data security. Mobile Device Manager Plus integrates with DigiCert to allow IT admins to simplify the creation and distribution of user-specific certificates.
By integrating the DigiCert CA with Mobile Device Manager Plus, organizations can provide passwordless authentication on mobile devices thereby reducing password reset requests and password fatigue for users. IT admins can also automate the renewal of certificates to ensure the devices always have the updated certificates available on them.
This document covers the steps involved in creating the CA server and template which are required to manage DigiCert certificates using Mobile Device Manager
Adding a CA server
Follow the steps given below to add a DigiCert CA server on Mobile Device Manager Plus:
Generating the Certificate Signing Request (CSR)
- On the MDM server, navigate to Device Mgmt -> Certificates and click on the CA servers tab.
- Click on Add CA server to create a new CA server on MDM.
- Under Server Type, select DigiCert.
- Copy the Certificate Signing Request (CSR) that is generated. This is required to generate the Registration Authority (RA) certificate on the DigiCert portal.
Obtaining the RA certificate from the DigiCert PKI Manager
- Login to the DigiCert PKI Manager to create the RA certificate.
- From the Tasks menu, select Get an RA certificate.
- Paste the CSR copied from the MDM console and optionally specify a name for identifying the certificate under Enter a certificate friendly name.
- Click on Continue and Download to download the RA certificate.
Creating a Certificate Profile in DigiCert PKI Manager
- On the DigiCert PKI Manager console, click on Manage Certificate Profiles
- Select Add Certificate Profiles from the top pane.
- Select the mode of provisioning for the profile you're creating. You can select from the following options:
- Test Mode: This profile will be used for testing purposes. Once testing is complete, the profiles and certificates can be moved to Production.
- Production Mode: This profile will be used for managing active users and certificates.
- Click on Continue
- Select MDM as the profile type. This specifices that the CA server will issue certificates to the devices enrolled in an MDM solution. Click on Continue
- Specify a name for the certificate template under Certificate friendly name.
- Click on Advanced Settings to configure additional details.
- Under Subject DN, click on Add field.
- In the Certificate field dropdown, select Unique Identifier. In Source for the field's value dropdown, select Scep Request.
- Under the SubjectAltName option, click on Add field. Under the Certificate Field option, select Other Name (UPN).
- For the Source for the field's value option, select Scep Request.
- Click on Save and Continue to save the certificate profile.
- Copy the Certificate Profile OID and SCEP Enrollment URL. This needs to be pasted on the MDM console.
Adding DigiCert server details to the MDM server
- On the MDM console, paste the Profile OID and DigiCert URL. Upload the RA Certificate generated on the DigiCert portal.
- Click on Save to add the DigiCert server to MDM.
Creating certificate template
Certificate template contains the information based on which the CA server generates and issues certificates to the managed devices. Follow the steps given below to configure the certificate template
- On the MDM server, click on the Templates tab, add a new template and provide a template name.
- For entering the Subject, specify the required details using dynamic variables, such as %username% or %email%.
- For Subject Alternative Name Type, select RFC 822 Name and for Subject Alternative Name Type Value, enter %email%.
- Select the key size and key usage fields.
- You can also configure the certificates to be automatically renewed upon expiry by selecting Certificate Automatic Renewal as yes and entering the number of days before expiry that the certificate must be renewed.
Creating a SCEP profile
To distribute certificates to managed devices, you must associate a SCEP profile with these devices. Follow the steps given below to create and associate the SCEP profile to devices
- Navigate to Device Mgmt -> Profiles and create either an Apple, Android or Windows profile.
- Select SCEP from the list of supported policies.
- Select the created Certificate template.
- Click on Save and publish the profile.
Associate the profile to a device for testing before distributing it to your production environment using Groups.