Certificate Template

Certificate templates allow SOTI MobiControl to create dynamic certificates based on user enrollment or device authentication.

Note: Fields may differ depending on the type of certificate for which you're creating a template.
SOTI MobiControl Template Name Enter a name for your certificate template.
CA Template Name Enter the name of the certificate authority template.
Profile OID Enter the certificate profile OID that is associated with the certificate authority template.
Subject Name The subject name used to create certificates.

Click the button to use macros to build the subject name. Supported macros include Enrolled User Principal Name, User Domain, User Username, User email or a Device Name, MAC Address, Serial Number or Platform.

Note: Each certificate type has specific requirements for the Subject Name field as follows:
Certificate Type Required Content
ADCS CN=%DEVICENAME
Entrust igusername = user, iggroup = group, devicetype = device
General SCEP CN=%DEVICENAME
Symantic seat_id=
Subject Alternative Names Click Add or Edit to open the Subject Alternative Name dialog box in which you can add additional subject alternative names for the certificate template.
Certificate Target Choose whether the certificate will be issued to a device or a user. Choose Device to decide if the certificate is provisioned to authenticated users only and to preserve the private key. If you choose User, both of those options are mandatory. Choosing User offers the best security.
Provision Certificate to Authenticated Users Only When enabled, only authenticated users have access to the certificate.
Preserve Private Key When enabled, the private key is preserved.
Certificate Usage Choose whether the certificate will be used for signing, encryption, or both.
Key Size Choose the size of the key:
  • 1024
  • 2048
  • 4096
  • 8192
Remove old certificates upon successful renewal When enabled, expired certificates are deleted from device after their replacement certificate is successfully installed
Use Automatic Renewal When enabled, certificates are renewed automatically, with no intervention required from the device user.
Days Before Automatic Renewal Specify the interval (in days) before a certificate is renewed.

Use Automatic Renewal option must be enabled to use this setting.

Publish certificate to LDAP When enabled, the certificate is published to the user's record in LDAP.
Key Protection Determines the level of protection for your key. Options are:
  • Protected
  • Protected if Supported
  • Not Protected
Note: When testing the functionality of certificate templates, ensure that the default template is used for simplicity. If a custom template must be used, ensure the following: In the Template properties, under Issuance Requirements, set Authorize Signatures to 1. For Policy type required in signature, select Application Policy. For Application Policy, select Certificate Request Agent.