Certificate Authorities

Use the Certificate Authorities dialog box to configure certificate authorities and create certificate templates. SOTI MobiControl uses certificate templates to create certificates that are dynamic for each user and device.

You can configure the following certificate authority types:

ADCS

ADCS supports PKI and SCEP configuration types.

PKI

Name Enter a name for your certificate authority.
Protocol Choose which protocol SOTI MobiControl uses to communicate with the certificate authority. Options are:
  • HTTPS
  • DCOM
Enrollment URL Enter the URL you received after installing the Certificate Enrollment Web Service.
Policy URL Enter the URL you received after installing the Certificate Enrollment Policy Web Service.
Trusted Root Certificate If the certificate authority has a self-signed certificate, upload the root certificate here.
Enrollment Certificate Upload the enrollment agent certificate. The enrollment agent certificate is used to sign certificate requests to the ADCS server and is explicitly trusted to request certificates on behalf of other users, for example, the device owner in SOTI MobiControl.
Authentication Type The authentication type to communicate with the certificate authority. Options are:
  • Certificate
  • Username/Password
  • Kerberos
Authentication Credential Certificate Upload an Authentication Credential Certificate.
Note: Available only when Certificates is the selected Authentication Type.
Username The username of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
Password The password of the account to communicate with the certificate authority.
Note: Available only when Username/Password is the selected Authentication Type.
Cloud Link Agent Enter the client certificate that you use to authenticate to the Cloud Link Agent.
Note: This option is applicable only to SOTI MobiControl Cloud customers.

SCEP

Note: iOS devices can request SCEP certificates natively. For other devices, SOTI MobiControl makes the request to the SCEP server on the device's behalf and then pushes the SCEP certificate to the device.
Name Enter a name for your certificate authority.
Use SCEP Client When enabled, your certificate authority uses a SCEP client.
Use Static Challenge When enabled, a static challenge is used when devices request new certificates. When disabled, a Dynamic challenge is used. Every time a device requests a certificate, a new challenge will be issued.
Service URL Enter the URL received after installing the Certification Authority Web Enrollment role service.
Challenge URL Enter the URL received after installing the Network Device Enrollment role service.
Static Challenge Enter the Static Challenge key here.
Note: Applicable only if Use Static Challenge is enabled.
Thumbprint Enter the thumbprint for your certificate.
Username The username of the account to communicate with the certificate authority.
Password The password of the account to communicate with the certificate authority.
Retries The number of times a device attempts to obtain a certificate.
Retry Delay The timeout delay between each retry (in seconds).
Cloud Link Agent Enter the client certificate that you use to authenticate to the Cloud Link Agent.
Note: This option is applicable only to SOTI MobiControl Cloud customers.

Entrust

Name Enter a name for your certificate authority.
Configuration Type Displays the configuration type: PKI.
Service URL The URL provided by Entrust for certification services.
Username The user name used to authenticate.
Password The password used to authenticate.

Generic SCEP

Name Enter a name for your certificate authority.
Service URL The URL of the certificate authority services.
Use Static Challenge When enabled, a static challenge is used when devices request new certificates. When disabled, a Dynamic challenge is used. Every time a device requests a certificate, a new challenge will be issued.
Use SCEP Client When enabled, your certificate authority uses a SCEP client.
Static Challenge Enter the Static Challenge key here. A static challenge must be used if certificates are going to be issued to more than one device.
Note: Applicable only if Use Static Challenge is enabled.
Thumbprint Enter the thumbprint for your certificate.
Retries The number of attempts a device can make to get a certificate from the SCEP server.
Retry Delay The timeout delay between each retry (in seconds).

Symantec

Name Enter a name for your certificate authority.
Configuration Type Displays the configuration type: PKI.
Service URL The URL of the Symantec certificate authority services.
Registration Authority Certificate The registration authority (RA) certificate. To generate a new RA certificate, click Generate RA Certificate to open the Generate Symantec Certificate dialog box.