Certificate Validation
SOTI Cloud Link Agent communication is protected by mutually authenticated HTTPs sessions. Each SOTI MobiControl instance provides a client certificate for authenticating to the SOTI Cloud Link Agent, which can be validated by the SOTI Cloud Link Agent or a reverse proxy.
The SOTI Cloud Link Agent can be configured to use both client and server-side certificate validations. The client (SOTI MobiControl) uses standard SSL validation and verifies whether the certificate presented by the SOTI Cloud Link Agent is trusted on the client. The server (SOTI Cloud Link Agent), if configured, uses certificate pinning to validate the certificate sent by the client. The server checks that the client's certificate has the specific thumbprint configured through the SOTI Cloud Link Agent Administration Utility.
Server Certificate
To set up the server certificate, bind any standard SSL certificate to the SSL port. The certificate should be trusted by clients and issued for the specific domain with "Digital Signature" key usage.
Client Certificate
To configure the client certificate:
- Decide whether to issue your own client Certificate or use the one provided by SOTI MobiControl.
- Ensure you have the root certificate on hand for any certificate authority you use to issue certificates.
- Request an intermediate certificate from SOTI technical support to complete the certificate trust chain between the SOTI Cloud Link Agent and the SOTI MobiControl server.
- Include both the SOTI MobiControl root certificate and the intermediate certificate on the SOTI Cloud Link Agent Server.
- Using the SOTI Cloud Link Agent Administration Utility, configure SOTI Cloud Link Agent to accept only the specific client certificate.