Configuring a GlobalSign CA

Ivanti EPMM supports integration with GlobalSign as a certificate authority (CA) for certificate enrollment. This integration enables GlobalSign to perform the proxy tasks that would normally be performed by Ivanti EPMM, allowing the device to obtain certificates from the GlobalSign CA.

GlobalSign Prerequisites

The information in this section assumes that you have set up the following information with GlobalSign:

  • A user name and password for Ivanti EPMM to use to access the GlobalSign server
  • GlobalSign profiles
  • Whether you want the generated certificates to have the enhanced key usage extension Encrypting File System (EFS)
  • Whether you want the generated certificates to be the GlobalSign type “personal” or “department”

To specify GlobalSign settings:

  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > GlobalSign.
  2. Use the following guidelines to specify the settings.
    • Name: Enter brief text that identifies this certificate enrollment setting.
    • Description: Enter additional text that clarifies the purpose of this certificate enrollment setting.

    • Store keys on Ivanti EPMM: Specifies whether Ivanti EPMM stores the private key sent to each device. When storing keys is enabled, private keys are encrypted and stored on the local Ivanti EPMM.

      If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.
    • Device Certificate: Specifies that the certificate is bound to the given device.

    • URL: Enter the URL for the GlobalSign server. This field defaults to:

      https://system.globalsign.com/cr/ws/GasOrderService

      Typically, you only change this if you are working with a GlobalSign test environment.

    • User Name: The user name for Ivanti EPMM to use to access the GlobalSign server. Custom device and user attributes variable names are supported.
    • Password: Enter the password then re-enter to confirm. Custom device and user attributes variable names are supported.

    • Profile: Click Refresh to populate the drop-down list of profiles from GlobalSign. Then, select a profile.

      You must enter a valid User Name and Password before clicking Refresh.

    • Profile Description: Pre-populated based on the profile you select.
    • Application Description: Pre-populated based on the profile you select.
    • Product Code: Select either EPKIPSPersonal or EPKIPSDept, depending on whether you want the generated certificates to be the GlobalSign type “personal” or “department”.
    • Certificate Expiration: Specify when the generated certificate will expire.

    • EFS option: Select this setting if you want the generated certificate to have the enhanced key usage extension Encrypting File System (EFS).

      Selecting this setting has no impact if the selected profile has disabled EFS.

    • Common Name: Specify the Common Name to use in the generated certificate.
    • Organization Unit: Specify the Organization Unit to use in the generated certificate.
    • E-Mail: Specify the email address to use in the generated certificate.
    • Subject Alternative Names Value: Enter a type and value. At run-time, these variables are resolved into user values. Add multiple SAN entries with corresponding values. Click Add+, select the SAN type (NT Principal Name) from the drop-down list, then select one of the available values. (See Supported variables for certificate enrollment for more information.)

    • Microsoft User Security Identifier: Select the check box to include a non-critical extension with OID 1.3.6.1.4.1.311.25.2 and the value of substitution variable $USER_SID$. If the LDAP user has no SID, the extension will not be included.

  3. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  4. Click Save.

If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Revoking the certificate

You can revoke a GlobalSign certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the GlobalSign server. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

To revoke a certificate:

  1. Navigate to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Select Actions > Revoke.