Configuring DigiCert One

Integration with DigiCert enables you to configure certificate-based authentication. The following describes how to configure DigiCert One in Ivanti EPMM.

Before you begin 

  • Set up your account for DigiCert One with DigiCert.

  • Create an MDM (Web Service Client) profile in the DigiCert manager that you will use for the Ivanti EPMM integration.

    SeatID

    Be sure to include the DigiCert SeatID as a required certificate profile field. In a DigiCert One environment, DigiCert uses the SeatID to track the number of seats for billing purposes.

    To correctly track the number of seats, the SeatID value in the Ivanti EPMM SCEP settings must map to the value you created for the SeatID in the DigiCert Manager. For example, if the user's email address is used as the SeatID in DigiCert Manager, the Ivanti EPMM SCEP settings should map the Ivanti EPMM email address attribute to the DigiCert SeatID.

    Ivanti EPMM associates each issued DigiCert certificate to a SeatID in the DigiCert Manager. If the SeatID does not exist, a new DigiCert user account and SeatID is automatically created for the user at the time the certificate is requested. Once a certificate is created for a profile with a SeatID and Subject DN combination, creating another certificate by changing Subject DN for the same profile and SeatID is not allowed.

  • Gather the following items:
    • The server address for the DigiCert One.
      On Ivanti EPMM the default is set to clientauth.demo.one.digicert.com.
    • The Registration Authority (RA) certificate Ivanti EPMM will use to authenticate to the DigiCert CA.

Procedure 

  1. Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > DigiCert One.

  2. Use the following guidelines to specify the settings:

    The Required Fields and Optional Fields for the certificate are displayed based on how the MDM (Web Service Client) profile was set up in the DigiCert manager.

    • Name: Enter brief text that identifies this group of settings.
    • Description: Enter additional text that clarifies the purpose of this group.

    • Store keys on Ivanti EPMM: Specifies whether Ivanti EPMM stores the private key sent to each device. If you are using a DigiCert profile that is set up to store keys on the DigiCert server, you typically do not select this option.

      If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

    • User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

      The certificate is revoked when the user is removed from Ivanti EPMM.

    • Device Certificate: Specifies that the certificate is bound to the given device. Make sure the Symantec certificates are unique for each device.

      The certificate is revoked when the device is retired from Ivanti EPMM.

    • API URL: Enter the server address for the DigiCert One (received from DigiCert).

    The default is set to clientauth.demo.one.digicert.com.

    Do not add https:// before the server name, and do not add path information after the server name.
    Only the hostname of the DigiCert CA server should be provided.

    • Certificate 1: Navigate and select the RA certificate you received from DigiCert. This is usually a.p12 file. Enter the password for the certificate when prompted.
    • Password 1: (Optional if certificate and password are stored in the same file.) Enter the password for the certificate.
    • Add Certificate: Click this link to add one or more certificates, as necessary.
    • Profile: This is the profile to be used for the integration. If you do not see an expected profile, then it most likely contains multiple credentials, a configuration that Ivanti EPMM does not currently support.
    • Profile Description: This is pre-populated based on the profile you select.
    • Application Description: This is populated automatically based on the selected profile.
  3. In the Required Variables, fields are populated based on the profile that you selected.
  4. (Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.

  5. Click Save.

    If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

Revoking the certificate

You can revoke a DigiCert One certificate.

Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). The certificate is also removed from the DigiCert manager. When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

Procedure 

  1. Navigate to Logs > Certificate Management.
  2. Select the certificate that you want to revoke.
  3. Click Actions > Revoke.