Certificate Management

The Logs > Certificate Management tab displays certificate-related log entries. You can:

  • View certificate log entries
  • Search certificate log entries
  • Remove selected certificates from the log
  • Revoke selected certificates from the log
  • Re-enroll selected certificates from the log

Actions on certificates are logged in Logs > Audit Logsin the Certificate category.

How to search for certificate entries

When viewing the Certificate Management page, you can search for entries based on:

  • Expiration date
  • User
  • Setting

Procedure 

  1. In the Admin Portal, go to Logs > Certificate Management.
  2. Specify one or more of the criteria in the following steps to describe the certificates you want to display.
  3. (Optional) To specify a time range within which the certificates expired:
    • In the Expiration Date Range field, click the calendar next to the field, and then click on a date. This date is the earliest day the certificates you are searching for expired.
    • In the To field click the calendar next to the field, and then click on a date. This date is the latest day the certificates you are searching for expired.

      An error message displays if you select a day in the Expiration Date Range field earlier than the day specified in the To field. For example you receive an error message if you:

    • An error message displays if you select a day in the Expiration Date Range field earlier than the day specified in the To field. For example you receive an error message if you:

      Select November 13th in the Expired Date Range field (earliest time a certificate expired).

      Select October 15th in the To field (latest time a certificate expired).

    The search can return fewer than all the certificates that expired during the specified time period if you specify other criteria in Step 4.

  4. (Optional) In Search by User/Setting Name, enter a username or a setting name.

    Item

    Description

    Certificate Enrollment

    Displays the name of the Certificate Enrollment setting.

    Setting

    Displays the configuration using the Certificate Enrollment.

    The configuration displays only for a non-cached Certificate Enrollment. Configuration names are not available for certificates created in VSP Version 6.0 or earlier.

    For a cached Certificate Enrollment certificate, you will always see - in the Setting Name, regardless of whether it was created prior to version 7.0 or created in version 7.0.

    For Android devices, the Setting Name displays only for APPCONFIG, APPPOLICY, and WEB@WORK settings; otherwise a "-" displays.

  5. Click Search.

    Search results are displayed in a table with the following columns:

    Item

    Description

    User

    The user name of the device user identified by the identity certificate.

    Phone Number

    The phone number associated with the device user identified by the identity certificate.

    Email

    The email address associated with the device user identified by the identity certificate.

    Certificate Enrollment Name

    The name of the certificate enrollment (such as SCEP, Local, Entrust) used to issue the identity certificate.

    Setting Name

    The name of the setting that uses the certificate enrollment, such as an Exchange or Ivanti Web@Work setting.

    Cert Type

    Indicates whether the certificate is a user-provided certificate enrollment. Otherwise, this field is left blank.

    Expiration Date

    The date by which the identity certificate will no longer be valid.

    Content

    Click the View link to see the contents of the identity certificate itself.

How to remove a certificate

This action removes the certificate from device, but does not remove the SCEP setting.

Procedure 

  1. Go to Logs > Certificate Management.
  2. Select the certificate that you want to remove.
  3. Click Actions > Remove.

How to revoke a certificate

You can revoke certificates created using a Local Certificate Authority, OpenTrust, Entrust API Version 9, and Symantec Web Service PKI. Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

Procedure 

  1. Go to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Click Actions > Revoke.

The certificate will be added immediately to the CRL so the next time the device attempts to authenticate, authentication will fail.

How to re-enroll a SCEP certificate

This feature is not supported on Android devices.