Certificate Management

License: Silver

Using certificate authentication is an effective way to secure your mobile devices. Certificates are more secure than passwords, and they enable you to use a single credential to protect VPNs, wireless networks, email, etc. If your organization has access to an external certificate authority, you can use a Connector to access it. If your organization does not have access to a certificate authority , you can use Ivanti Neurons for MDM as a certificate authority. You can also use it as an intermediate certificate authority to other certificate authorities. The certificates generated by Ivanti Neurons for MDM are called self-signed certificates.

  • SHA-1 certificates are deprecated while creating the identity certificates. You can choose other algorithms. While updating the certificates, if the older certificates use SHA-1, the same SHA-1 algorithm can be used. If the older certificates use an algorithm above SHA-1, then reverting to SHA-1 is not allowed.
  • During the configuration of the local or external certificate authority, select the Cache Identities on Ivanti Neurons for MDM option to store certificates with the Ivanti Neurons for MDM service. Clear cache to generate certificates each time as needed.
  • While editing an existing certificate from the Actions menu, you can select the Clear cached certificates and issue new ones with recent updates option if required. Non-cached certificates will be re-issued automatically.
  • For improving system efficiency, the certificates for the admin-created configurations are generated offline, using a First In First Out (FIFO) queue. During the period when the configurations are being generated offline, the configuration state will be Pending Certificate Generation under the Status column in the Configurations tab on the Device Details page. After the certificates are generated, the configurations are moved to the Pending Install state and are pushed, along with the certificates, to the devices via automatic force check-ins.
  • All Certificate Authority certificates, including the certificates signed by DigiCert PKI Platform or GlobalSign external Certificate Authorities, are revoked when a device is retired, wiped, and when certificates are regenerated.

As an administrator, you can generate Ivanti Neurons for MDM certificate for smart card logon and custom object IDs (OIDs). You can generate certificates for the following authentication options:

Client Authentication - enabled by default

IPSEC – optional, admin can enable

Smart Card Logon – optional, admin can enable

Custom OIDs - optional, admin can enable

This feature is only applicable for the following certificate authorities:

Local Certificate Authority

Intermediate Certificate Authority

External Certificate Authority - configure the application policies of CA template in NDES server to support IPSEC , Smart Card Logon, and custom OIDs

In the Device Admin, App Station, or other non-Android Enterprise modes, Certificate Management is not supported on Samsung devices using Samsung APIs. It is recommended to verify transition to Android Keystore based on Samsung recommendation.

For more information, see Certificate configuration.

Connecting to an on-premise SCEP certificate authority

Procedure

  1. Log in to the Ivanti Neurons for MDM administrative portal.

  2. Install and configure a Connector (Admin > Connector). For more information, see Connector.

  3. Go to Admin > Infrastructure > Certificate Management.

  4. Click Add under the Certificate Authority section.

  5. Select Add an on-premise SCEP Certificate Authority and click Continue:

  6. Enter a name that identifies the configuration.

  7. Select one of the following Certificate Authority Type:

    • Microsoft

    • EJBCA

    • Generic SCEP Server

      The Generic SCEP Server option can be used with most SCEP servers having a static challenge password.

  8. Complete the displayed form.

  9. Click Done.

Creating an external Certificate Authority

Choose this option if you want to use a third party Certificate Authority.

Procedure

  1. In the Certificate Management page, click Add under Certificate Authority section.

  2. In the Add Certificate Authority page, under Create an external Certificate Authority, click Continue.

  3. Select GlobalSign or DigiCert PKI Platform as the external Certificate Authority.

  4. Complete the remaining fields on the displayed form.

  5. Click Done.

Viewing a certificate of the external certificate authority

You can view the details of a certificate and upload the intermediate/alternate root certificate for this certificate authority to replace the existing stored copy.

Procedure

  1. Under the Certificate Authority in the Certificate Management page, click Actions next to the external certificate authority, and then click View Certificate. The View certificate window is displayed.

  2. In the View Certificate window, click Upload Certificate. The Upload Certificate: External CA window is displayed.

  3. Click Choose File to select the certificate to be uploaded.
  4. Click Done.

Creating an intermediate certificate authority

  • If you need a certificate, then generate a CSR and submit it to the signing authority. Once you receive the certificate from the signing authority, upload the certificate.

  • If you already have the necessary certificate, upload it.

Generate a CSR (certificate signing request)

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, click Add

  2. In the Add Certificate Authority section, under Create an Intermediate Certificate Authority, click Generate CSR.

  3. Complete the displayed form.

  4. Click Generate.

  5. Copy the content between BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST to a text file.

  6. Upload the text file to the certifying authority.

  7. Click Done.

Uploading the signed certificate

Once you receive the signed certificate from the certifying authority you can upload the signed certificate.

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, find the entry for the CSR you generated.

  2. Under section, select Actions > Upload New Signed Certificate.

  3. Click Choose File.

  4. Select the new signed certificate.

  5. Click Done.

Uploading an existing certificate

This topic describes how to upload a signed certificate.

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, click Add.

  2. In the Add Certificate Authority section, under Create an Intermediate Certificate Authority, click Upload Existing Identity.

  3. In the Name field, enter a name for this certificate that distinguishes it from others.

  4. Click Upload.

  5. Select the certificate.

  6. Enter the password for the certificate.

  7. Click Upload.

Viewing a certificate of the intermediate certificate authority

You can view the details of a certificate and get the CRL (Certificate Revocation List) URL of the certificate authority.

Procedure

  1. In the Certificate Authority section, click Actions next to the certificate authority and click View Certificate. The View certificate window is displayed.

  2. In the View Certificate window, you can view the URL in the CRL URL field.

  3. Click Copy to copy the URL to a clipboard and paste in another application. This URL can be used to configure Office 365 to accept certificates issued by the certificate authority.

Creating a Standalone Certificate Authority

Choose this option if you want to create a new, completely standalone (local and self-signed) Certificate Authority.

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, click Add.

  2. In the Add Certificate Authority page, under Create a Standalone Certificate Authority, click Continue.

  3. Complete the displayed form.

  4. Click Generate.

Configuring the expiration period of the standalone certificate authority

You can configure the expiration period of the standalone (local) certificate authority. By default, the certificate lifetime is set to 30 years.

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, click Actions next to the standalone certificate authority.

  2. Click Edit.

    The Edit Certificate Authority window is displayed.

  3. In the Client Certificate Template section, in the Certificate Lifetime field, enter the new expiration period in days.

  4. Click Save.

You may receive notifications and emails(if optionally enabled) when the certificates issued by a local certificate authority are about to expire or already expired.

  • Notification on the days of the certificate expiry - Notifications are generated at pre-determined intervals during a certificate expiration window. The first notification occurs 365 days before expiration, followed by additional notifications that occurs 180 days, 60 days, 45 days and 7 days before expiration. You will receive this notification till you replace the certificate by navigating to Admin > Certificate Management> Actions > Upload New Signed Certificate.
  • Notification on the expired certificate - You receive a notification when the certificate expires. You will have to replace the certificate to resume normal service.
  • Notification when a new valid certificate is uploaded - The notification will be sent when the new signed certificate is uploaded.

Viewing a certificate of the standalone certificate authority

You can view the details of a certificate and get the CRL (Certificate Revocation List) URL of the local certificate authority.

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, click Actions next to the local certificate authority and click View Certificate. The View certificate window is displayed.

  2. In the View Certificate window, you can view the URL in the CRL URL field.

  3. Click Copy to copy the URL to a clipboard and paste in another application. This URL can be used to configure Office 365 to accept certificates issued by the local certificate authority.

Viewing a CRL lifetime of a Certificate Authority

You can view and edit the CRL lifetime of a local or intermediate certificate authority.

Procedure

  1. Under the Certificate Authority section in the Certificate Management page, click Actions next to the local certificate authority and click Edit. The Edit Certificate Authority window is displayed.

  2. In the Edit certificate Authority window, you can view the CRL Lifetime value. The minimum default value is 24 hours. The maximum value that can be entered is 10950 hours.

  3. Edit the CRL lifetime value and click Save.

Creating a Cloud Certificate Authority

Choose this option if you want to use a Cloud Certificate Authority.

Procedure

  1. Go to Admin > Infrastructure > Certificate Management.

  2. In the Certificate Management page, under the Certificate Authority section, click Add.

  3. In the Add Certificate Authority page, under Connect to a publicly-trusted Cloud Certificate Authority, click Continue.

  4. Enter a name in the Name box.

  5. Select a Cloud Certificate Authority from the following options:

    • Atos IDnomic CMS
    • DigiCert One PKI Platform
    • DigiCert PKI Platform
    • Entrust
    • GlobalSign
  6. Enter the base URL and upload the certificate data.

  7. Click Done.

Using Advanced Search on certificates

You can use the Advanced Search option to search for issued certificates based on rules to identify and view the certificates with specific criteria. These rules can be constructed using the applicable operators, including the "begins with", "ends with", "contains", "does not contain", "does not begin with", "does not end with", "is less than", "is greater than", "is in range", "is equal to", and "is not equal to" operators. The rule options can be nested together using the ANY (OR) or ALL (AND) options. The issued certificates matching the rules are displayed below the section. Starting from Ivanti Neurons for MDM release 76 the operators for all the certificate management templates have standard operators. The operators of the following templates are standardized in this release:

  • Admin> Certificate Management> Issued Certificates> Advanced Search

Advanced Search on Issued Certificates

Procedure

  1. Under the Issued Certificates section in the Certificate Management page, click the Advanced Search link.
  2. Click Any if the users need to match at least one of the rules, or Click All if the certificate need to match all the rules.
  3. Create a rule that defines the search criteria, for the following attributes:
    • CA
    • Configuration Name
    • Expiry
    • Is Private Key
    • OS
    • Serial Number
    • Status
    • Usage Type
    • User
  4. (Optional) Click + to create additional rules, if needed.
  5. (Optional) Click Save to save the query.
  6. Click Search. The list of users matching the search criteria are displayed in the page.

Advanced Search on User Provided Certificates

Procedure

  1. Under the User Provided Certificates section in the Certificate Management page, click the Advanced Search link.
  2. Click Any if the users need to match at least one of the rules, or Click All if the certificate need to match all the rules.
  3. Create a rule that defines the search criteria, for the following attributes:
    • Certificate Name
    • Expiration Date
    • Issued By
    • Uploaded On
  4. (Optional) Click + to create additional rules, if needed.
  5. (Optional) Click Save to save the query.
  6. Click Search. The list of users matching the search criteria are displayed in the page.

Loading the Search queries for issued certificates

To view the list of saved Search queries.

Procedure

  1. Under the Issued Certificates section in the Certificate Management page, click the Advanced Search link.
  2. Click the 'Folder' icon. The Advanced Search window is displayed. The list of the created Search queries are displayed in the Loaded Query section. The following details are displayed in this section:
    • Query Name - The name of the loaded query.
    • Query Content - Displays the content on the rules defining the search query.
    • Actions - Select the action to be performed on the query.
  3. Click Load Query in the Actions column to view the list of issued certificates matching the criteria defined in the loaded query.

    To delete a loaded query, click the Delete icon.

Click Export to CSV to download the search result report contents in a CSV file for later reference or analysis.

Viewing the expiration period of the issued certificates

Under the Issued certificates section, in the Expires (in days) column you can view the days remaining for the certificate to expire if the expiry is within the next 30 days. If the certificate had already expired within the last 30 days, the Expires (in days) column for the certificate displays the number of days passed from the date of expiry.

For more information, see SCEP configuration for external certificate authorities.

Export to CSV

You can export the certificates to a CSV file for later reference or analysis.

Procedure

  1. In the Certificate Management page, go to one of the following tabs.

    • Certificate Authority

    • Issued Certificates

    • User Provided Certificates

  2. Click Export to CSV.

  3. Click Download.

  4. (Optional) Click Delete to delete the report.