Configuring SCEP

This section describes how to specify settings that allow the device to obtain certificates from a CA using Simple Certificate Enrollment Protocol (SCEP).

To specify the SCEP settings:

Go to Policies & Configs > Configurations and click Add New > Certificate Enrollment > SCEP.

Use the following guidelines to specify the settings:

Name: Enter brief text that identifies this group of settings.

Description: Enter additional text that clarifies the purpose of this group.

Centralized: MobileIron Core retrieves certificates on behalf of devices. Core also manages the certificate lifetime and triggers renewals. See “SCEP proxy functions”.

NOTE: Select this option for certificates used for email on devices with multi-user sign-in.

Decentralized: Devices retrieve their own certificates.

Use this feature if using the SCEP setting for mutual authentication. It is not supported for any other use cases with Android iOS and macOS devices. See Enabling mutual authentication for Apple and Android devices.

This feature is not available for Android devices.

Store keys on Core:

Specifies whether MobileIron Core stores the private key sent to each device. When storing key is enabled, private keys are encrypted and stored on the local Core.

If you select this option after devices have been provisioned, certificates will be re-provisioned for all impacted devices.

NOTE: Select this option for certificates used for email on devices with multi-user sign-in.

Proxy requests through Core:

This feature is not available for Android devices.

When this option is enabled, Core acts as a reverse proxy between devices and the target certificate authority. This option is only available when Decentralized is selected.

User Certificate: Specifies that the certificate is distributed to multiple devices assigned to a single user.

NOTE: Select this option for certificates used for email on devices with multi-user sign-in.

Device Certificate: Specifies that the certificate is bound to the given device.

URL: Enter the URL for the SCEP server.

CA-Identifier: (Optional) Enter the name of the profile for SCEP servers that support named-profiles.

Subject: Enter an X.509 name represented as a comma-separated array of OIDs and values. Typically, the subject is set to the user’s fully qualified domain name. For example,

C=US,DC=com,DC=MobileIron,OU=InfoTech or

CN=www.mobileiron.com.

You can also customize the Subject by appending a variable to the OID. For example, CN=www.mobileiron.com-$DEVICE_CLIENT_ID$.

For ease of configuration you can also use the $USER_DN$ variable to populate the Subject with the user’s FQDN.

Subject Common Name Type: Select the CN type specified in the certificate template. If you enter the $USER_DN$ variable in the Subject field, select None from the drop-down list.

Key Usage: Specify acceptable use of the key by signing.

Encryption: Specify acceptable use of the key by encryption.

Key Type: Specify the key type.

Key Length: The values are 1024, 1536, 2048 (the default), 3072, and 4096.

CSR Signature Algorithm: The values are SHA1, SHA256, SHA384 (default), and SHA512.

Finger Print: The finger print of the CA issuing the root certificate.

Challenge Type: Select None, Microsoft SCEP, or Manual to specify the type of challenge to use. The Challenge Type will depend on what the NDES server is configured to use.

Challenge URL: For a Microsoft SCEP challenge type, enter the URL of the trustpoint defined for your Microsoft CA.

User Name: Enter the user name for the Microsoft SCEP CA.

Password: Enter the password for the Microsoft SCEP CA.

Subject Alternative Names Type: Select NT Principal Name, RFC 822 Name, or None, based on the attributes of the certificate template. You can enter four alternative name types.

NOTE:

If this SCEP setting is for authenticating the device to the Standalone Sentry using an identity certificate: select NT Principal Name and select Distinguished Name for a second Subject Alternative Name

Subject Alternative Names Value: Select the Subject Alternate Name Value from the drop-down list of supported variables. You can also enter custom variables in addition to and instead of the supported variables.

NOTE:

If this SCEP setting is for authenticating the device to the Standalone Sentry using an identity certificate: enter $USER_UPN$ for the value corresponding to NT Principal Name and enter $USER_DN$ for the value corresponding to Distinguished Name.

(Optional) Click Issue Test Certificate to verify the configuration by generating a test certificate to ensure there are no errors. Although this step is optional, it is recommended. A real certificate is not generated.

Click Save.

You cannot make changes to the saved SCEP settings. When you open a saved SCEP setting, the Save button is disabled.

NOTE:

If values that you enter in fields result in errors, you cannot save the configuration. If values that you enter result in warnings, you can save the configuration after confirming the warning messages. To see configuration errors, go to Services > Overview.

X.509 Codes

The Subject field uses an X.509 distinguished name. You can use one or more X.509 codes, separated by commas. This table describes the valid X.509 codes:

Table 1. X.509 Codes

Code	Name	Type	Max Size	Example
C	Country/Region	ASCII	2	C=US
DC	Domain Component	ASCII	255	DC=company, DC=com
S	State or Province	Unicode	128	S=California
L	Locality	Unicode	128	L=Mountain View
O	Organization	Unicode	64	O=Company Name, Inc.
OU	Organizational Unit	Unicode	64	OU=Support
CN	Common Name	Unicode	64	CN=www.company.com

NOTE:

If the SCEP entry is not valid, then you will be prompted to correct it; partial and invalid entries cannot be saved.

SCEP proxy functions

Choosing to enable SCEP proxy functions has the following benefits:

A single certificate verifies Exchange ActiveSync, Wi-Fi, and VPN configurations
There is no need to expose a SCEP listener to the Internet.
MobileIron can detect and address revoked and expired certificates.