Certificate Authority
Use the Certificate Authority dialog box to configure certificate authorities and create certificate templates. SOTI MobiControl uses certificate templates to create dynamic certificates for each user and device. For details, see Adding Certificates.
You can configure the following certificate authority types:
Common to All Certificates
| Name | Enter a name for your certificate authority. |
| Certificate Type | Select a certificate type:
|
| Certificate Templates | This section lists the existing certificate templates. Select the + icon to expand the Certificate Templates section (see Certificate Templates / Template Details). |
ADCS
ADCS supports PKI and SCEP configuration types.
PKI
| Protocol | Choose which protocol SOTI MobiControl uses to communicate with the certificate authority. Options are:
|
| Enrollment URL | Enter the URL you received after installing the Certificate Enrollment Web Service. |
| Policy URL | Enter the URL you received after installing the Certificate Enrollment Policy Web Service. |
| Trusted Root Certificate | If the certificate authority has a self-signed certificate, upload the root certificate here. You can browse for the certificate file or drag it into the field. |
| Enrollment Certificate | Select the Add icon to open the Add Enrollment Certificate dialog box, where you can select the enrollment agent certificate (see Add Enrollment Certificate). This certificate signs certificate requests to the ADCS server. It is explicitly trusted to request certificates on behalf of other users, for example, the device owner in SOTI MobiControl. |
| Authentication Type | The authentication type to communicate with the certificate authority. Options are:
|
| Authentication Credential Certificate | Select the Add icon to open the Add Authentication
Credential Certificate dialog box , where you can
select the certificate file (see Add Authentication Credential Certificate). Note: Available only when
Certificate is the selected
Authentication Type.
|
| Username | The username of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
|
| Password | The password of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
|
| Cloud Link Agent | Select the client certificate you use to authenticate to SOTI Cloud Link. Note: This option applies only to
SOTI MobiControl Cloud customers. See
SOTI Cloud Link for
more information.
|
SCEP
Note: iOS devices can request SCEP certificates natively. For other devices, SOTI MobiControl makes the request to the SCEP server on the device's behalf and then pushes the SCEP certificate to the device.
CAUTION: Be sure to select an authentication method suitable to your requirements.
SOTI recommends Windows Authentication over basic
authentication for higher security.
| Use SCEP Client | This option enables or disables SOTI MobiControl's built-in SCEP Client. If enabled, the SOTI MobiControl server acts as the client when requesting certificates for devices using SCEP. If disabled, SOTI MobiControl assumes your device can request SCEP certificates natively (for example, iOS and Windows Modern). |
| Service URL | Enter the URL received after installing the Certification Authority Web Enrollment role service. |
| Use Static Challenge | Turn on to use a static challenge when devices request new certificates. When disabled, new dynamic challenges are issued each time a device requests a certificate. |
| Challenge URL | Enter the URL received after installing the Network Device Enrollment role service.
Note: Applicable only if Use Static Challenge is disabled.
|
| Static Challenge | Enter the Static Challenge key here.
Note: Applicable only if Use Static Challenge is enabled.
|
| Thumbprint | Enter the thumbprint for your certificate. |
| Username | Enter the username of the account to communicate with the certificate authority. |
| Password | Enter the password of the account to communicate with the certificate authority. |
| Retries | Enter the number of times a device attempts to obtain a certificate. |
| Retry Delay | Enter the timeout delay between the retries. |
| Cloud Link Agent | Select the Cloud Link Agent that enables communication between SOTI MobiControl and the Target certificate authority
server. Note: This option applies only to SOTI MobiControl Cloud customers. See SOTI Cloud Link for more
information.
|
Entrust
| Configuration Type | Displays the configuration type: PKI. |
| Service URL | Enter the URL provided by Entrust for certification services. |
| Username | Enter the user name used to authenticate. |
| Password | Enter the password used to authenticate. |
EJBCA
| Configuration Type | Displays the configuration type: EST |
| Alias | Enter the EST alias name created in EJBCA. |
| Service URL | Enter the URL of the certificate authority services. |
| Authentication Type | Select an authentication type to match what you provided in EJBCA when setting up your
EST alias:
|
| Username | Enter the user name used to authenticate. |
| Password | Enter the password used to authenticate. |
| Authentication Credential Certificate | Select the Add icon to open the Add Authentication
Credential Certificate dialog box (see Add Authentication Credential Certificate), where you can select the
certificate file. Note: Available only when
Certificate or
Both is the selected Authentication
Type. |
| Cloud Link Agent | Select the client certificate you use to authenticate to SOTI Cloud Link. Note: This
option is applicable only to SOTI MobiControl
Cloud customers. Read SOTI Cloud Link for more
information. |
Generic SCEP
| Service URL | Enter the URL of the certificate authority services. |
| Use Static Challenge | Turn on to use a static challenge when devices request new certificates. When disabled, a dynamic challenge is used. Every time a device requests a certificate, a new challenge is issued. |
| Static Challenge | Enter the static challenge key. You must use a static challenge if you are issuing
certificates to more than one device. Note: Applicable only if
Use Static Challenge is
enabled.
|
| Use SCEP Client | Turn on to make your certificate authority use an SCEP client. |
| Thumbprint | Enter the thumbprint of the Public Key Root Certificate from the Certificate Authority (CA). |
| Retries | Enter the number of attempts a device can make to get a certificate from the SCEP server. |
| Retry Delay | Enter the timeout delay between retries. |
Symantec
| Configuration Type | Displays the configuration type: PKI. |
| Service URL | Enter the URL of the Symantec certificate authority services. |
| Registration Authority Certificate | The registration authority (RA) certificate. To generate a new RA certificate, select Generate Certificate to open the Generate RA Certificate dialog box (see Generate RA Certificate), where you can generate the certificate. |
After making changes, follow the prompts to Save or Cancel them.