Certificate Mgmt

Use the Security > Certificate Mgmt menu items to fulfill certificate requirements your organization may have for the MobileIron appliance or the TLS client. With these options, you can:

• Generate a self-signed certificate
• Generate a CSR for a certificate authority
• Upload required certificates

NOTE:

When you update a certificate, you are prompted to confirm that you want to proceed because the HTTP service needs to be restarted, resulting in service disruption.

This section includes the following topics:

• Certificates you configure in the System Manager
• Generate a self-signed certificate
• Certificate signing request (CSR) requirements
• Generate a certificate signing request (CSR)
• Upload client certificate (CSR) window
• Uploading certificates
• Viewing certificates

Certificates you configure in the System Manager

You configure the following certificates on the System Manager at Security > Certificate Mgmt:

table 1. Certificates you configure in the System Manager

Certificate
Portal HTTPS Port 443 and 8443	The identify certificate and its certificate chain, including the private key, that identifies MobileIron Core, allowing a client (such as a browser or app) to trust MobileIron Core. Used on port 443 for these clients: the Admin Portal the self-service user portal. Mobile@Work for iOS and Android device check-ins when using mutual authentication Mobile@Work for macOS device check-ins iOS MDM and macOS MDM check-ins Windows device check-ins Apps@Work on Android and iOS Used on port 8443 for the System Manager. Must be a publicly trusted certificate from a well-known Certificate Authority if you are using mutual authentication. Typically the same certificate as the Client TLS and iOS Enrollment certificates. Presented to client as part of the TLS handshake when client initiates a request to Core. NOTE: Mobile@Work for Android requires that the Portal HTTPS certificate supports CRLs (Certificate Revocation Lists).
Client TLS Port 9997	The identify certificate and its certificate chain, including the private key, that identifies MobileIron Core, allowing Mobile@Work for iOS and Android to trust MobileIron Core. Used on port 9997 for Mobile@Work for iOS and Android device check-ins when not using mutual authentication. Typically the same certificate as the Portal HTTPS and iOS Enrollment certificates. Presented to Mobile@Work for iOS or Android as part of the TLS handshake when Mobile@Work initiates a request to Core.
iOS Enrollment	The identify certificate and its certificate chain, including the private key, that identifies MobileIron Core. Core uses the identity certificate to sign the Apple MDM configurations that it sends to iOS and macOS devices. Typically the same certificate as the Client TLS and Portal HTTPS certificates.

Generate a self-signed certificate

You can generate a self-signed certificate for:

• the MobileIron iOS Mobility Management Best Practices
• the MobileIron Sentry configurations
• The Portal HTTPS certificate, the Client TLS certificate, or the iOS Enrollment certificate.

Procedure 

1. Log into System Manager.
2. Go to Security > Certificate Mgmt.
3. Select Manage Certificate in either the Portal HTTPS row, the Client TLS row, or the iOS Enrollment row.
4. Select Certificate Options > Generate Self-Signed Certificate.

5. Click one of the following self-signed certificate options:

   • Generate Self Signed RSA Certificate
   • Generate Self Signed ECDSA Certificate

Related topics 

Certificates you configure in the System Manager

Certificate signing request (CSR) requirements

The following table summarizes the requirements and related information for each component of a MobileIron deployment.

table 2. CSR requirements

Component	Requirements
Appliance	Private key file Certificate file Root CA certificate file Without password
Standalone Sentry	Private key file Certificate file Root CA certificate file Without password
Client	Private key file Certificate file Root CA certificate file Without password

Generate a certificate signing request (CSR)

Procedure 

1. Log into System Manager.
2. Go to Security > Certificate Mgmt.
3. Select Manage Certificate in either the Portal HTTPS row, the Client TLS row, or the iOS Enrollment row.
4. Select Certificate Options > Generate CSR.

5. Fill in the form, as necessary.

   Refer to Upload client certificate (CSR) window table for details.

6. Click Generate.

   The system displays a message similar to the following message.

   

7. Open a text file in a text editor or application.
8. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST and paste it into the text file.
9. Open a second text file.
10. Copy the content between BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY and paste it into the second text file.
11. Click Close.
12. Submit the text file you created in step 8.

Related topics 

Certificates you configure in the System Manager

Upload client certificate (CSR) window

The following table summarizes fields and descriptions in the Upload client certificate window:

table 3. Upload client certificate Fields

Fields	Description
Common Name	Enter the server host name.
E-Mail	Enter the email address of the contact person in your organization who should receive the resulting certificate.
Company	Enter the name of the company requesting the certificate.
Department	Enter the department requesting the certificate.
City	Enter the city in which the company is located.
State	Enter the state in which the company is located.
Country	Enter the two-character abbreviation for the country in which the company is located.
Key Length	Select 2048 or 3072 to specify the length of each key in the pair. Longer keys provide stronger security, but may impact performance.

Uploading certificates

You can upload a certificate after you receive the CA certificate from the certifying authority.

Procedure 

1. Log into System Manager.
2. Go to Security > Certificate Mgmt.
3. Select Manage Certificate in either the Portal HTTPS row, the Client TLS row, or the iOS Enrollment row.
4. Select Certificate Options > Upload Certificate.

5. Select a certificate based on the following information:

   Fields	Description
   Key file	The file created in Step in Generate a certificate signing request (CSR)
   Server certificate	The CA certificate file you received from the certifying authority.
   CA certificate	A generic CA certificate file.

6. Click Upload Certificate.

Related topics 

Certificates you configure in the System Manager

Viewing certificates

Use the Security > Certificate Mgmt menu items to view both Portal HTTPS or Client-TLS certificates.

Procedure 

1. Log into System Manager.
2. Go to Security > Certificate Mgmt.
3. Select View Certificate in either the Portal HTTPS row, the Client TLS row, or the iOS Enrollment row.

Related topics 

Certificates you configure in the System Manager