About Derived Credentials with MobileIron
Smart cards contain identity certificates that give your users access to various computing resources without using passwords. The identity certificates make up the user’s primary credential. A derived credential:
| • | derives from the primary credential. |
The derived credential contains identity certificates derived from the primary credential’s identity certificates. Therefore, if the primary credential becomes revoked or expired, the derived credential also becomes revoked or expired.
| • | is an X.509 public key certificate |
| • | is stored on the user’s mobile device. |
Apps on the user’s iOS or Android mobile device can use these derived identity certificates for these purposes:
|
Purpose |
Supported platforms |
|
Authenticating to your backend servers, such as web servers, app servers, or content servers |
iOS and Android |
|
Authenticating to your backend email server |
iOS and Android |
|
Digital signing |
iOS and Android |
|
Encryption |
iOS and Android |
|
Decryption of older emails when the certificate that had been used for encryption has expired |
iOS |
|
Authenticating the user to Standalone Sentry when using AppTunnel with Kerberos authentication to the backend server |
iOS |
Typically, a different identity certificate is used for authentication, signing, encryption, and the expired certificates used for decryption. The identity certificates each have the same identity information, but the private and public key pair for each is different.