Configuring an Entrust CA
Ivanti EPMM supports integration with the Entrust Administration Services (EAS). This integration allows Ivanti EPMM to work with Entrust to obtain certificates directly from the CA.
The information in this section assumes the following:
- You have the URL for your Entrust server (received from Entrust).
- You have the Administrator ID and password.
Entrust decentralized mode allows iOS devices to communicate directly with Entrust by embedding the SCEP challenge string in the MDM configuration. Managed devices generate PKI key pairs and CSRs, obtaining certificates directly from Entrust CA without going through Ivanti EPMM as a proxy. In this way, using decentralized mode improves security in that the private key never leaves the device.
When implementing decentralized mode, confirm the managed device:
- has a native SCEP client
- can work with the encryption algorithm and key lengths supported by Entrust
- accepts the CSR signature algorithm used by Entrust, if the selected algorithm is overridden
The mobile device will notify the device user when the Entrust certificate has been installed successfully. Additionally, the device reports the retrieved certificate to Ivanti EPMM as part of the standard device certificate inventory report. You can view the certificate data by going to Devices & Users > Devices, clicking the carat (^) symbol next to the device, and clicking the Logs tab. You can also view the certificate by going to Logs > Certificate Management, and clicking the View link under the Content column next to the relevant device.
Note the following:
- Currently, iOS only supports the RSA key type with key lengths of 1024 and 2048.
- If you configure multiple app settings (such as email, VPN, and Wi-Fi) to consume the same decentralized Entrust certificate enrollment setting, and apply a label to the app settings all at once, then Entrust fails to return the certificate to the devices with that label. Instead, configure each certificate enrollment consumer to reference different Entrust certificate enrollment settings, which themselves reference different certificate profiles.
- Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > Entrust.
- Use the following guidelines to specify the settings.
- Name: Enter brief text that identifies this group of settings.
- Description: Enter additional text that clarifies the purpose of this group.
- API URL: Enter the URL for your Entrust server (received from Entrust).
- Admin ID: The credentials to log into the Entrust server.
- Admin Password: Enter the administrator password.
Group: The Entrust group associated with users. Custom attribute variable substitutions are supported.
If the profile you selected contains an iggroup variable, then the you must configure the same value here as well
Key Usage: Use these options to filter out the certificates returned by Entrust, which may return multiple certificates with different uses depending on the selected profile.
When multiple certificates are returned by a DigitalID profile, the first one that matches the selected key usage flags is used. If none of the returned certificates match the selected key usage flags, an error is raised. Use the Issue Test Certificate feature to ensure the expected certificate is selected.
Profile: Use these options to filter out the certificates returned by Entrust, which may return multiple certificates with different uses depending on the selected profile.
Select a profile template from Entrust. Once you select this profile, more options (required and optional variables) are available to you based on the profile you select. Entrust refers to profiles as DigitalIDs.
If using decentralized mode, select a profile that supports decentralized mode.
- Profile Description: Pre-populated based on the profile you select.
- Application Description: Pre-populated based on the profile you select.
- Centralized: Select to allow Ivanti EPMM to retrieve certificates on behalf of devices.
Decentralized: Select to let managed devices retrieve their own certificates.
This feature is supported on iOS devices only.Store keys on Core: Specifies whether Ivanti EPMM stores the private key sent to each device. When storing keys is enabled, private keys are encrypted and stored on the local Ivanti EPMM.
If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.
- This option is disabled when selecting Decentralized mode.
User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.
This option is disabled when selecting Decentralized mode.
- Device Certificate: Specifies that the certificate is bound to the given device.
- Entrust SCEP CA:
- URL: Enter the URL of the Entrust SCEP CA.
- Key Type: Select RSA.
- Subject Alternative Names table: Select a type and value. At run-time, these variables are resolved into user values. (See Certificate Enrollment settings for more information.) Custom attribute variable substitutions are supported.
- (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
- Click Save.
If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.
Revoking the certificate
You can revoke an Entrust API Version 9 certificate.
Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the Entrust manager. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.
To revoke a certificate:
- Navigate to Logs > Certificate Management.
- Select the certificate that you want to revoke.
- Select Actions > Revoke.