Configuring Symantec Managed PKI

Symantec Managed PKI support enables you to configure certificate-based authentication. Symantec Managed PKI is a source for certificates that you can reference in a variety of configurations, such as for Exchange, VPN, and AppConnect.

Before you begin

Make sure you have the following in place:

  • A valid Symantec Verisign Managed PKI account is required.
  • (Optional) Get finger print from issuing CA for root certificate.
  • One or more client certificate and password from CA.


To specify the Symantec Managed PKI settings:

  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > Symantec Managed PKI.
  2. Use the following guidelines to specify the settings:
    • Name: Enter brief text that identifies this group of settings.
    • Description: Enter additional text that clarifies the purpose of this group.
    • Centralized: Ivanti EPMM retrieves certificates on behalf of devices. Ivanti EPMM also manages the certificate lifetime and triggers renewals. See “Using a proxy”.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • Decentralized: This feature is not available for Android devices.Devices retrieve their own certificates.
    • Store keys on Ivanti EPMM: Specifies whether Ivanti EPMM stores the private key sent to each device. When storing key is enabled, private keys are encrypted and stored on the local Ivanti EPMM.

      If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • Proxy requests through Ivanti EPMM: This feature is not available for Android devices.
      • When this option is enabled, Ivanti EPMM acts as a reverse proxy between devices and the target certificate authority. This option is only available when Decentralized is selected.
    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • URL Mode: Specifies the mode and the corresponding URL supplied by Symantec.
    • CA-Identifier: Required information supplied by Symantec.
    • Subject Common Name Type: Select the CN type specified in the certificate template. If you enter the $USER_DN$ variable in the Subject field, select None from the drop-down list.
    • Key Usage: Use these options to indicate which key usage to request from the CA.
    • Key Type: This is the Key Exchange algorithm: RSA or Elliptic Curve.
    • Key Size: The values are 1024, 1536, 2048 (the default), 3072, and 4096.
    • CSR Signature Algorithm: The values are SHA1, SHA256, SHA384 (the default), and SHA512.
    • Finger Print: The finger print of Symantec Managed PKI.
    • Certificate 1: Upload for the client authentication with the server.
    • Password 1: This password is optional.Best used when certificate and password are in separate files.
    • Subject Alternative Names table: Enter a type and value. At run-time these variables are resolved into user values. (See Supported variables for certificate enrollment for more information.)

      The Required Fields and Optional Fields for the certificate are displayed based on how the MDM (Web Service Client) profile was set up in the Symantec PKI manager.

  3. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  4. Click Save.

    If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Using a proxy

Choosing to enable proxy functions has the following benefits:

  • A single certificate verifies Exchange ActiveSync, Wi-Fi, and VPN configurations
  • There is no need to expose a SCEP listener to the Internet.
  • Ivanti EPMM can detect and address revoked and expired certificates.