Configuring an Entrust CA

Ivanti EPMM supports integration with the Entrust Administration Services (EAS). This integration allows Ivanti EPMM to work with Entrust to obtain certificates directly from the CA.

Entrust Prerequisites

The information in this section assumes the following:

  • You have the URL for your Entrust server (received from Entrust).
  • You have the Administrator ID and password.

Procedure

  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > Entrust.
  2. Use the following guidelines to specify the settings.
    • Name: Enter brief text that identifies this group of settings.
    • Description: Enter additional text that clarifies the purpose of this group.
    • API URL: Enter the URL for your Entrust server (received from Entrust).
    • Admin ID: The credentials to log into the Entrust server.
    • Admin Password: Enter the administrator password.
    • Group: The Entrust group associated with users. Custom attribute variable substitutions are supported.

      If the profile you selected contains an iggroup variable, then the you must configure the same value here as well

    • Key Usage: Use these options to filter out the certificates returned by Entrust, which may return multiple certificates with different uses depending on the selected profile.

      When multiple certificates are returned by a DigitalID profile, the first one that matches the selected key usage flags is used. If none of the returned certificates match the selected key usage flags, an error is raised. Use the Issue Test Certificate feature to ensure the expected certificate is selected.

    • Profile: Use these options to filter out the certificates returned by Entrust, which may return multiple certificates with different uses depending on the selected profile.

      Select a profile template from Entrust. Once you select this profile, more options (required and optional variables) are available to you based on the profile you select. Entrust refers to profiles as DigitalIDs.

    • Profile Description: Pre-populated based on the profile you select.
    • Application Description: Pre-populated based on the profile you select.
    • Centralized: Select to allow Ivanti EPMM to retrieve certificates on behalf of devices.
    • Decentralized: Select to let managed devices retrieve their own certificates.

      This feature is supported on iOS devices only.

       Store keys on Core: Specifies whether Ivanti EPMM stores the private key sent to each device. When storing keys is enabled, private keys are encrypted and stored on the local Ivanti EPMM.
      • If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

    • Device Certificate: Specifies that the certificate is bound to the given device.
    • Entrust SCEP CA:
      • URL: Enter the URL of the Entrust SCEP CA.
      • Key Type: Select RSA.
      • Subject Alternative Names table: Select a type and value. At run-time, these variables are resolved into user values. (See Certificate Enrollment settings for more information.) Custom attribute variable substitutions are supported.
  3. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  4. Click Save.

If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Revoking the certificate

You can revoke an Entrust API Version 9 certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the Entrust manager. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

To revoke a certificate:

  1. Navigate to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Select Actions > Revoke.