Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server.
The administrator can assign a domain certificate for a user in Administration Console. This can be done using one of the following methods:
Assign the user a special (customized) certificate from a file in the Certificate installation wizard.
Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.
The settings of integration with PKI are available in the workspace of the Mobile Device Management / Certificates folder by clicking the Integrate with public key infrastructure link.
General principle of integration with PKI for issuance of domain user certificates
In Administration Console, click the Integrate with public key infrastructure link in the workspace of the Mobile Device Management / Certificates folder to specify a domain account that will be used by Administration Server to issue domain user certificates through the domain's CA (hereinafter referred to as the account under which integration with PKI is performed).
Please note the following:
The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).
The account under which integration with PKI is performed must meet the following criteria:
It is a domain user.
It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
It has the right to Log On As Service.
The device with Administration Server installed must be run at least once under this account to create a permanent user profile.