Certificate Authority

Use the Certificate Authority dialog box to configure certificate authorities and create certificate templates. SOTI MobiControl uses certificate templates to create dynamic certificates for each user and device. For details, see Adding Certificates.

You can configure the following certificate authority types:

Common to All Certificates

Name Enter a name for your certificate authority.
Certificate Type Select a certificate type:
  • ADCS
  • Entrust
  • EJCBA
  • Generic SCEP
  • Symantec
The layout of the dialog box changes according to the certificate type you select.
Certificate Templates This section lists the existing certificate templates. Select the + icon to expand the Certificate Templates section (see Certificate Templates / Template Details).

ADCS

ADCS supports PKI and SCEP configuration types.

PKI

Protocol Choose which protocol SOTI MobiControl uses to communicate with the certificate authority. Options are:
  • HTTPS
  • DCOM
Enrollment URL Enter the URL you received after installing the Certificate Enrollment Web Service.
Policy URL Enter the URL you received after installing the Certificate Enrollment Policy Web Service.
Trusted Root Certificate If the certificate authority has a self-signed certificate, upload the root certificate here. You can browse for the certificate file or drag it into the field.
Enrollment Certificate Select the Add icon to open the Add Enrollment Certificate dialog box, where you can select the enrollment agent certificate (see Add Enrollment Certificate). This certificate signs certificate requests to the ADCS server. It is explicitly trusted to request certificates on behalf of other users, for example, the device owner in SOTI MobiControl.
Authentication Type The authentication type to communicate with the certificate authority. Options are:
  • Certificate
  • Username/Password
  • Kerberos
Authentication Credential Certificate Select the Add icon to open the Add Authentication Credential Certificate dialog box , where you can select the certificate file (see Add Authentication Credential Certificate).
Note: Available only when Certificate is the selected Authentication Type.
Username The username of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
Password The password of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
Cloud Link Agent Select the client certificate you use to authenticate to SOTI Cloud Link.
Note: This option applies only to SOTI MobiControl Cloud customers. See SOTI Cloud Link for more information.

SCEP

Note: iOS devices can request SCEP certificates natively. For other devices, SOTI MobiControl makes the request to the SCEP server on the device's behalf and then pushes the SCEP certificate to the device.
CAUTION: Be sure to select an authentication method suitable to your requirements. SOTI recommends Windows Authentication over basic authentication for higher security.
Use SCEP Client This option enables or disables SOTI MobiControl's built-in SCEP Client. If enabled, the SOTI MobiControl server acts as the client when requesting certificates for devices using SCEP. If disabled, SOTI MobiControl assumes your device can request SCEP certificates natively (for example, iOS and Windows Modern).
Service URL Enter the URL received after installing the Certification Authority Web Enrollment role service.
Use Static Challenge Turn on to use a static challenge when devices request new certificates. When disabled, new dynamic challenges are issued each time a device requests a certificate.
Challenge URL Enter the URL received after installing the Network Device Enrollment role service.
Note: Applicable only if Use Static Challenge is disabled.
Static Challenge Enter the Static Challenge key here.
Note: Applicable only if Use Static Challenge is enabled.
Thumbprint Enter the thumbprint for your certificate.
Username Enter the username of the account to communicate with the certificate authority.
Password Enter the password of the account to communicate with the certificate authority.
Retries Enter the number of times a device attempts to obtain a certificate.
Retry Delay Enter the timeout delay between the retries.
Cloud Link Agent Select the Cloud Link Agent that enables communication between SOTI MobiControl and the Target certificate authority server.
Note: This option applies only to SOTI MobiControl Cloud customers. See SOTI Cloud Link for more information.

Entrust

Configuration Type Displays the configuration type: PKI.
Service URL Enter the URL provided by Entrust for certification services.
Username Enter the user name used to authenticate.
Password Enter the password used to authenticate.

EJBCA

Configuration Type Displays the configuration type: EST
Alias Enter the EST alias name created in EJBCA.
Service URL Enter the URL of the certificate authority services.
Authentication Type Select an authentication type to match what you provided in EJBCA when setting up your EST alias:
  • Username/Password
  • Certificate
  • Both
Username Enter the user name used to authenticate.
Password Enter the password used to authenticate.
Authentication Credential Certificate Select the Add icon to open the Add Authentication Credential Certificate dialog box (see Add Authentication Credential Certificate), where you can select the certificate file.
Note: Available only when Certificate or Both is the selected Authentication Type.
Cloud Link Agent Select the client certificate you use to authenticate to SOTI Cloud Link.
Note: This option is applicable only to SOTI MobiControl Cloud customers. Read SOTI Cloud Link for more information.

Generic SCEP

Service URL Enter the URL of the certificate authority services.
Use Static Challenge Turn on to use a static challenge when devices request new certificates. When disabled, a dynamic challenge is used. Every time a device requests a certificate, a new challenge is issued.
Static Challenge Enter the static challenge key. You must use a static challenge if you are issuing certificates to more than one device.
Note: Applicable only if Use Static Challenge is enabled.
Use SCEP Client Turn on to make your certificate authority use an SCEP client.
Thumbprint Enter the thumbprint of the Public Key Root Certificate from the Certificate Authority (CA).
Retries Enter the number of attempts a device can make to get a certificate from the SCEP server.
Retry Delay Enter the timeout delay between retries.

Symantec

Configuration Type Displays the configuration type: PKI.
Service URL Enter the URL of the Symantec certificate authority services.
Registration Authority Certificate The registration authority (RA) certificate. To generate a new RA certificate, select Generate Certificate to open the Generate RA Certificate dialog box (see Generate RA Certificate), where you can generate the certificate.

After making changes, follow the prompts to Save or Cancel them.