Configuring Ivanti EPMM as the CA

This section describes how to configure Ivanti EPMM as the CA.


To specify local settings:

  1. Go to Policies & Configs > Configurations.
  2. Click Add New > Certificate Enrollment > Local.
  3. Use the following guidelines to specify the settings.
    • Name: Enter brief text that identifies this group of settings. Example: Local Certificate Settings for Wi-Fi
    • Description: Enter additional text that clarifies the purpose of this group of settings.
    • Store keys on Core: Specifies whether Ivanti EPMM stores the private key sent to each device. When storing key is enabled, private keys are encrypted and stored on the local Ivanti EPMM.

      If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

      Select this option for certificates used for email on devices with multi-user sign-in.

    • Device Certificate: Specifies that the certificate is bound to the given device.
    • Local CAs: Select the name of the self-signed certificate you generated.
    • Key Type: Specifies the key exchange algorithm used (typically RSA or elliptic curve).
    • Subject Common Name Type: Select the CN type specified in the certificate template. If you enter the $USER_DN$ variable in the Subject field, select None from the drop-down list.
    • Key Usage: Specify acceptable use of the key (signing and/or encryption).
    • Key Length: Select a Key Length.

      The values are 1024, 1536, 2048 (the default), 3072, and 4096.

    • CSR Signature Algorithm: Select the signature algorithm.

      The values are SHA1, SHA256, SHA384 (default), and SHA512.

  4. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.
  5. Click Save.

If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Revoking the certificate

You can revoke a local certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.


  1. Navigate to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Click Actions > Revoke.