Certificate Authority Integration Details
Use the Certificate Authority dialog box in SOTI MobiControl to integrate supported CA services—such as ADCS, ACME, EJBCA, Entrust, Sectigo, and SCEP.
The Certificate Authority feature is used to manage and issue digital certificates to devices for secure communication, authentication, and policy enforcement. It plays a critical role in enterprise mobility management by enabling secure identity verification and encrypted data exchange.
Use the Certificate Authority dialog box to integrate your certificate authority service and create certificate templates.
SOTI MobiControl uses certificate templates to issue and maintain dynamic certificates for each user and device. For details about the Certificate Authority integration, see Step One: Integrate Certificate Authority Services.
You can configure the following certificate authority types:
Common to All Certificates
| Name | Enter a name for your certificate authority. |
| Certificate Type | Select a certificate type. Options are:
|
ADCS
ADCS supports the Public Key Infrastructure (PKI) and SCEP configuration types.
Tip: To obtain or renew initially issued enrollment
and user certificates that are about to expire, see Issuing Enrollment and User Certificates Using ADCS.
PKI
| Protocol | Choose the protocol SOTI MobiControl uses to communicate with the
certificate authority. Options are:
|
| Enrollment URL | Enter the URL you received after installing the Certificate Enrollment web service. |
| Policy URL | Enter the URL you received after installing the Certificate Enrollment Policy web service. |
| Trusted Root Certificate | If the certificate authority has a self-signed certificate, upload the root certificate here. You can browse for the certificate file or drag it into this field. |
| Enrollment Certificate | Select the icon to open the Add
Enrollment Certificate dialog box, where you can
choose the enrollment agent certificate. Provide a
*.pfx certificate file and its password
when uploading the certificate. This certificate signs certificate requests to the ADCS server. It is explicitly trusted to request certificates on behalf of other users, such as the device owner. |
| Authentication Type | The authentication type to communicate with the certificate authority. Options are:
|
| Authentication Credential Certificate | Select the icon to open the Add
Authentication Credential Certificate dialog box,
where you can select the certificate file. Provide a
*.pfx certificate file and its password
when uploading the certificate. Note: Available when
Certificate is the selected
authentication type. |
| Username | The username of the account used to communicate with the certificate authority.
Note: Available when Username/Password is
the selected authentication type. |
| Password | The password of the account used to communicate with the certificate authority.
Note: Available when Username/Password is
the selected authentication type. |
| Cloud Link Agent | Select the client certificate you use to authenticate to SOTI Cloud Link. Note: This option applies to SOTI MobiControl Cloud customers. See Cloud Link Agent for more
information. |
SCEP
Note: iOS devices can request SCEP certificates natively. For other devices, SOTI MobiControl makes the request to the SCEP server on the device's behalf and then pushes the SCEP certificate to the device.
CAUTION: Be sure to select an authentication method suitable for your requirements.
SOTI recommends Windows Authentication over basic
authentication for better security.
| Use SCEP Client | This option enables or disables SOTI MobiControl's built-in SCEP client. If enabled, the SOTI MobiControl server acts as the client when requesting certificates for devices using SCEP. If you disable this option, SOTI MobiControl assumes your device can request SCEP certificates natively. For example, iOS and Windows Modern. |
| Service URL | Enter the URL received after installing the Certification Authority Web Enrollment role service. |
| Use Static Challenge | Enable to use a static challenge when devices request new certificates. When you disable this option, SOTI MobiControl issues a new dynamic challenge each time a device requests a certificate. |
| Challenge URL | Enter the URL received after installing the Network Device Enrollment role service.
Note: Applies if you disable Use Static
Challenge. |
| Static Challenge | Enter the Static Challenge key here. Note: Applies if you enable Use Static
Challenge. |
| Thumbprint | Enter the thumbprint for your certificate. |
| Username | Enter the username of the account used to communicate with the certificate authority. |
| Password | Enter the password of the account used to communicate with the certificate authority. |
| Retries | Enter the number of times a device attempts to obtain a certificate. |
| Retry Delay | Enter the timeout delay between the retries. |
| Cloud Link Agent | Select the Cloud Link Agent that enables communication between SOTI MobiControl and the target certificate authority
server. Note: This option applies to SOTI MobiControl Cloud customers. See Cloud Link Agent for more
information. |
Entrust
| Configuration Type | Displays the configuration type: PKI. |
| Service URL | Enter the URL provided by Entrust for certification services. |
| Username | Enter the username used to authenticate. |
| Password | Enter the password used to authenticate. |
EJBCA
| Configuration Type | Displays the configuration type: Enter the Enrollment over Secure Transport (EST). See EST for more details. |
| Alias | Enter the EST alias name created in EJBCA. |
| Service URL | Enter the URL of the certificate authority services. |
| Authentication Type | Select an authentication type to match what you provided in EJBCA when setting up your
EST alias. Options are:
|
| Username | Enter the user name used to authenticate. |
| Password | Enter the password used to authenticate. |
| Authentication Credential Certificate | Select the icon to open the Add
Authentication Credential Certificate dialog box.
Upload a *.p12 certificate file and its
password. Note: Available when
Certificate or
Both is the selected Authentication
Type. |
| Cloud Link Agent | Select the client certificate you use to authenticate to SOTI Cloud Link. Note: This
option applies to SOTI MobiControl Cloud
customers. See Cloud Link Agent for more
information. |
Generic SCEP
| Service URL | Enter the URL of the certificate authority services. |
| Use Static Challenge | Turn on to use a static challenge when devices request new certificates. When you disable this option, SOTI MobiControl issues a new challenge every time a device requests a certificate, |
| Static Challenge | Enter the static challenge key. You must use a static challenge when you are issuing
certificates to more than one device. Note: Applies if you enable
Use Static Challenge. |
| Use SCEP Client | Turn on to make your certificate authority use an SCEP client. |
| Thumbprint | Enter the thumbprint of the Public Key Root Certificate from the Certificate Authority (CA). |
| Retries | Enter the number of attempts a device can make to get a certificate from the SCEP server. |
| Retry Delay | Enter the timeout delay between retries. |
ACME
| Service URL | Enter the URL of the certificate authority services. |
Sectigo
| Configuration type | Representational State Transfer (REST) (default). |
| Service URL | Enter the URL of the certificate authority services. |
| Client Id | Enter the Client ID of the account used to communicate with Sectigo Certificate Manager. |
| Client Secret | Enter the Client Secret of the account used to communicate with Sectigo Certificate Manager. |