PRK Encryption Certificate

Use the PRK Encryption Certificate page to supply the certificate for encrypting the Personal Recovery Key (PRK) of your macOS device for storage in the SOTI MobiControl server. You must add a new certificate for encrypting your device's PRK the first time you access the PRK Encryption Certificate page.

Creating a certificate

The administrator must create a self-signed certificate that meets the following requirements:

Note: You may use any self-signed certificate application, such as OpenSSL.

Once the OpenSSL tool is downloaded, you need to generate a PKCS#12 certificate as follows:

Create a private key named 'PrivateKey.pem' with key length '2048' using the following command:
openssl genrsa -out PrivateKey.pem 2048.
Generate a certificate request named 'CertificateReq.pem' using the private key you generated:
openssl req -x509 -new -key PrivateKey.pem -out CertificateReq.pem
Export a PKCS#12 file with data from the certificate & private key PEM file you generated.
openssl pkcs12 -export -in CertificateReq.pem -inkey PrivateKey.pem -out PKCSFile.p12
Upload PKCSFile.p12 under Global Settings > PRK Encryption Certificate.


Key Length	2048/4096 bits (recommended)
Key Pair Algorithm	RSA
Certificate Signing	Sha-256
Type	P12
Password	Yes

Adding a new certificate

Select ADD CERTIFICATE to upload a certificate. In the Add Certificate window, select a certificate file and enter the associated password. Select SAVE to add the certificate. Once the certificate upload is complete, the following information appears on the PRK Encryption Certificate page.


Configuration Status	Shows whether the PRK configuration status is active.
Issuer Name	Shows the certificate issuer's name.
Uploaded Date	Shows the certificate upload date.
Expiry Date	Shows the certificate expiry date.

Understanding certificate expiration

The following table explains what happens before and after a certificate expires.


Before expiration	A 30-day notification in the SOTI MobiControl web console precedes certificate expiration.
After expiration	Certificates expire according to server time (UTC). Once expired, the following occurs: In Global Settings > Apple > PRK Encryption Certificate, the Expiry Date turns red. The web console displays a notification to indicate that the certificate has expired. Note: The PRK stored in the SOTI MobiControl server continues to work. Enrolled devices cannot escrow the new PRK. The administrator must: Upload a new and valid certificate. See Replacing a certificate on this page. Reassign the File Vault profile to devices. See Reassigning FileVault Configuration.

Replacing a certificate

Select MODIFY to replace an existing certificate with a new certificate. In the Modify Certificate window, select a new certificate file and enter the associated password. Select SAVE to add the new certificate. After the certificate upload is complete, the uploaded certificate information appears on the PRK Encryption Certificate page.

Note: Once you upload a new certificate, you must reassign the FileVault configuration to the targeted device or device groups. Failure to do so may result in PRK decryption issues. See Reassigning FileVault Configuration for more information.