Managing DigiCert Certificates with Mobile Device Manager Plus

DigiCert is a certificate authority (CA) that issues certificates to mobile devices for enhanced app and data security. Mobile Device Manager Plus integrates with DigiCert to allow IT admins to simplify the creation and distribution of user-specific certificates.

By integrating the DigiCert CA with Mobile Device Manager Plus, organizations can provide password less authentication on mobile devices thereby reducing password reset requests and password fatigue for users. IT admins can also automate the renewal of certificates to ensure the devices always have the updated certificates available on them.

This document covers the steps involved in creating the CA server and template which are required to manage DigiCert certificates using Mobile Device Manager

Adding a CA server

Follow the steps given below to add a DigiCert CA server on Mobile Device Manager Plus:

Generating the Code Signign Request (CSR)

  1. On the MDM server, navigate to Device Mgmt -> Certificates and click on the CA servers tab.
  2. Click on Add CA server to create a new CA server on MDM.
  3. Under Server Type, select DigiCert.
  4. Copy the Code Signing Request (CSR) that is generated. This is required to generate the Registration Authority (RA) certificate on the DigiCert portal.

Obtaining the RA certificate from the DigiCert PKI Manager

  1. Login to the DigiCert PKI Manager to create the RA certificate.
  2. From the Tasks menu, select Get an RA certificate.
  3. Paste the CSR copied from the MDM console and optionally specify a name for identifying the certificate under Enter a certificate friendly name.
  4. Click on Continue and Download the RA certificate that's downloaded.

Creating a Certificate Profile in DigiCert PKI Manager

  1. On the DigiCert PKI Manager console, click on Manage Certificate Profiles
  2. Select Add Certificate Profiles from the top pane.
  3. Select the mode of provisioning for the profile you're creating. You can select from the following options: Click on Continue
  4. Select MDM as the profile type. This specifices that the CA server will issue certificates to the devices enrolled in an MDM solution. Click on Continue
  5. Specify a name for the certificate template under Certificate friendly name. Click on Advanced Settings to configure additional details.
  6. Under the SubjectAltName option, click on Add field. Under the Certificate Field option, select Other Name (UPN).
  7. For the Source for the field's value option, select Scep Request.
  8. Click on Save and Continue to save the certificate profile.
  9. Copy the Certificate Profile OID and SCEP Enrollment URL. This needs to be pasted on the MDM console.

Adding DigiCert server details to the MDM server

  1. On the MDM console, paste the Profile OID and DigiCert URL. Upload the RA Certificate generated on the DigiCert portal.
  2. Click on Save to add the DigiCert server to MDM.

Creating certificate template

Certificate template contains the information based on which the CA server generates and issues certificates to the managed devices. Follow the steps given below to configure the certificate template

  1. On the MDM server, click on the Templates tab, add a new template and provide a template name.
  2. For entering the Subject, specify the required details using dynamic variables, such as %username% or %email%.
  3. For Subject Alternative Name Type, select RFC 822 Name and for Subject Alternative Name Type Value, enter %email%.
  4. For the Challenge Type option, select Dynamic.
  5. Select the key size and key usage fields.
  6. You can also configure the certificates to be automatically renewed upon expiry by selecting Certificate Automatic Renewal as yes and entering the number of days before expiry that the certificate must be renewed.

Creating an SCEP profile

To distribute certificates to managed devices, you must associate an SCEP profile with these devices. Follow the steps given below to create and associate the SCEP profile to devices

  1. Navigate to Device Mgmt -> Profiles and create either an Apple, Android or Windows profile.
  2. Select SCEP from the list of supported policies.
  3. Select the created Certificate template.
  4. Click on Save and publish the profile.

Associate the profile to a device for testing before distributing it to your production environment using Groups.

See Also: Configure Mobile Device Manager Plus, Device Enrollment, Location Tracking, App Management, Profile Management, Asset Management, Security Management, Reports
Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine