Certificate authentication

Environment Manager allows you to authenticate with the Personalization server using certificate authentication. Use certificate authentication for remote work without a virtual private network (VPN).

To use certificate authentication:

  1. Create and export certificates

  2. Enable server authentication using https

  3. Enable Personalization server certificate authentication

  4. Deploy the client certificate to managed endpoints

Create and export certificates

We recommend you generate fully-licensed certificates using a trusted certificate authority. For detailed instructions on generating certificates, consult the help documentation for the trusted certificate authority you're using.

Generate server and client certificates with a public/private key pair, and provide fully qualified names including the domain.

To export certificates

  1. Navigate to the location where you saved the certificates.

  2. Right-click on the client certificate, and select All Tasks > Export to open the Certificate Export Wizard. Select Next.

  3. Select Yes, export the private key and Next.

  4. Select Personal Information Exchange - PKCS #12 (.PFX), and select from the options:

    • Include all certificates in the certification path if possible
    • Enable certificate privacy

  5. Select Next.

  6. If desired, select Password, enter a password, and confirm it. Select Next.

  7. Select Browse... to choose a location to save the exported certificate, and select Next, then Finish.

Enable server authentication using https

  1. Using the Internet Information Services (IIS) Manager, select the Personalization server.

  2. In the Actions pane under Edit Site, select Bindings to open the Site Bindings dialog.

  3. Select Add to open the Add Site Binding dialog.

  4. Configure the fields:

    1. Type: Select https.

    2. SSL Certificate: Select the server certificate you generated. If it does not appear in the menu, use Select to navigate to the certificate.

  5. Select Close to return to the IIS Manager.

  6. Select SSL Settings to open the SSL Settings pane.

  7. Select Require SSL and Require under Client certificates:.

  8. Select Apply from the Actions pane.

Enable Personalization server certificate authentication

In order for the client and Personalization server to authenticate with the certificate, you must enable certificate authentication from within the Environment Manager.

  1. In the Environment Manager console, select the Manage tab.

  2. Select Personalization Servers from the ribbon to open the Configure Personalization Servers dialog.

  3. Select Certificate Authentication from the Location pane.

  4. Select Add Certificate from the upper menu.

  5. Browse to the client certificate, and select Open. If you added a password when exporting the certificates, enter it when prompted.

  6. Save the configuration for deployment to the endpoints.

Deploy the client certificate to managed endpoints

You can use the Ivanti Management Center to deliver the certificate to those clients that will use certificate authentication. For more information on using Management Center, refer to the Management Center documentation. Ensure the root certificate is in the Trusted Root Certification Authorities folder.