Certificate Templates' Details

Configure certificate template details in SOTI MobiControl to define how dynamic certificates are issued, including subject names, key settings, usage, and renewal options.

Certificate templates are used to dynamically generate digital certificates for devices or users during enrollment or authentication. Templates define the structure, content, and behaviour of certificates issued by the configured Certificate Authority (CA). See Step Two: Create a Certificate Template and Deploying Managed (Dynamic) Certificates for details.

Important: Fields differ depending on the type of certificate for your template.
MobiControl Template Name Enter a name for your certificate template.
CA Template Name Enter the name of the certificate authority template.
Profile OID Enter the certificate profile OID associated with the Certificate Authority template.
Subject Name The subject name used to create certificates.
Select the icon to build the subject name using macros. Supported macros include:
  • Enrolled User Principal Name
  • User Domain
  • User Username
  • User email
  • Device Name
  • MAC Address
  • Serial Number
  • Platform.
Warning: Do not use Automatic Certificate Management Environment (ACME) certificates for user-based authentication (using macros). Use ACME certificates for device authentication as they bind to the device, not to a specific user.
Note: Each certificate type has specific requirements for the Subject Name field as follows:
Certificate Type Required Content
Active Directory Certificate Services (ADCS) CN=%DEVICENAME%
Enterprise Java Beans Certificate Authority (EJBCA) CN=%DEVICENAME%
Entrust igusername = user, iggroup = group, devicetype = device
General (Simple Certificate Enrollment Protocol) SCEP CN=%DEVICENAME%
Sectigo CN=%DEVICENAME% / %SERIALNUMBER%
Subject Alternative Names Select the icon to expand the Subject Alternative Names section. You can add subject alternative names for the certificate template. See Subject Alternative Names for more information.
Certificate Target Choose whether to issue the certificate to a device or a user. Choose Device to decide whether to provision the certificate to authenticated users only and to preserve the private key. If you choose User, both of those options are mandatory.
Tip: Choosing User provides the best security.
Certificate Usage Choose whether users can use the certificate for signing, encryption, or both.
Provision Certificate to Authenticated Users Only Enable to restrict access to the certificate to authenticated users only.
Publish certificate to LDAP Enable to publish the certificate to the user's record in Lightweight Directory Access Protocol (LDAP).
Preserve Private Key Turn on to preserve the private key.
Key Size Choose the size of the key:
  • 1024
  • 2048
  • 4096
  • 8192
Remove Old Certificates Upon Successful Renewal Enable to delete expired certificates from the device after the replacement certificate is successfully installed.
Use Automatic Renewal Enable to automatically renew certificates, with no intervention from the device user.
Days Before Automatic Renewal Specify the interval before a certificate renews.
Note: You must enable Use Automatic Renewal to use this setting.
Key Protection Decide the protection level of your key. Options are:
  • Protected
  • Protected if Supported
  • Not Protected