Certificate Authority

Use the Certificate Authority dialog box to configure certificate authorities and create certificate templates. SOTI MobiControl uses certificate templates to create certificates that are dynamic for each user and device. For details, see Adding Certificates.

You can configure the following certificate authority types:

Common to All Certificates

Name Enter a name for your certificate authority.
Certificate Type Select a certificate type:
  • ADCS
  • Entrust
  • Generic SCEP
  • Symantec

The layout of the dialog box changes according to the certificate type you select.

Certificate Templates This section lists the existing certificate templates. Click the + icon to expand the Certificate Templates section (see Certificate Templates / Template Details).

ADCS

ADCS supports PKI and SCEP configuration types.

PKI

Protocol Choose which protocol SOTI MobiControl uses to communicate with the certificate authority. Options are:
  • HTTPS
  • DCOM
Enrollment URL Enter the URL you received after installing the Certificate Enrollment Web Service.
Policy URL Enter the URL you received after installing the Certificate Enrollment Policy Web Service.
Trusted Root Certificate If the certificate authority has a self-signed certificate, upload the root certificate here. You can browse for the certificate file or drag and drop it into the field.
Enrollment Certificate Click the Add icon to open the Add Enrollment Certificate dialog box (see Add Enrollment Certificate), where you can select the enrollment agent certificate. This certificate is used to sign certificate requests to the ADCS server, and is explicitly trusted to request certificates on behalf of other users, for example, the device owner in SOTI MobiControl.
Authentication Type The authentication type to communicate with the certificate authority. Options are:
  • Certificate
  • Username/Password
  • Kerberos
Authentication Credential Certificate Click the Add icon to open the Add Authentication Credential Certificate dialog box (see Add Authentication Credential Certificate), where you can select the certificate file.
Note: Available only when Certificate is the selected Authentication Type.
Username The username of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
Password The password of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
Cloud Link Agent Select the client certificate that you use to authenticate to the SOTI Cloud Link Agent.
Note: This option is applicable only to SOTI MobiControl Cloud customers. Read SOTI Cloud Link Agent for more information.

SCEP

Note: iOS devices can request SCEP certificates natively. For other devices, SOTI MobiControl makes the request to the SCEP server on the device's behalf and then pushes the SCEP certificate to the device.
Use SCEP Client Turn on the toggle to make your certificate authority use a SCEP client.
Service URL Enter the URL received after installing the Certification Authority Web Enrollment role service.
Use Static Challenge Turn on the toggle to use a static challenge when devices request new certificates. When this option is disabled, a dynamic challenge is used. Every time a device requests a certificate, a new challenge is issued.
Challenge URL Enter the URL received after installing the Network Device Enrollment role service.
Note: Applicable only if Use Static Challenge is disabled.
Static Challenge Enter the Static Challenge key here.
Note: Applicable only if Use Static Challenge is enabled.
Thumbprint Enter the thumbprint for your certificate.
Username Enter the username of the account to communicate with the certificate authority.
Password Enter the password of the account to communicate with the certificate authority.
Retries Enter the number of times a device attempts to obtain a certificate.
Retry Delay Enter the timeout delay between the retries.
Cloud Link Agent Select the client certificate that you use to authenticate to the SOTI Cloud Link Agent.
Note: This option is applicable only to SOTI MobiControl Cloud customers. Read SOTI Cloud Link Agent for more information.

Entrust

Configuration Type Displays the configuration type: PKI.
Service URL Enter the URL provided by Entrust for certification services.
Username Enter the user name used to authenticate.
Password Enter the password used to authenticate.

Generic SCEP

Service URL Enter the URL of the certificate authority services.
Use Static Challenge Turn on the toggle to use a static challenge when devices request new certificates. When disabled, a dynamic challenge is used. Every time a device requests a certificate, a new challenge will be issued.
Static Challenge Enter the static challenge key. A static challenge must be used if certificates are going to be issued to more than one device.
Note: Applicable only if Use Static Challenge is enabled.
Use SCEP Client Turn on the toggle to make your certificate authority use a SCEP client.
Thumbprint Enter the thumbprint for your certificate.
Retries Enter the number of attempts a device can make to get a certificate from the SCEP server.
Retry Delay Enter the timeout delay between retries.

Symantec

Configuration Type Displays the configuration type: PKI.
Service URL Enter the URL of the Symantec certificate authority services.
Registration Authority Certificate The registration authority (RA) certificate. To generate a new RA certificate, click Generate Certificate to open the Generate RA Certificate dialog box (see Generate RA Certificate), where you can generate the certificate.

Once you have made changes that require saving, you are prompted to Save or Cancel them.