Connecting to an NDES/SCEP server

Expand all | Collapse all

You can configure a connection to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using Simple Certificate Enrollment Protocol (SCEP). To do this, you need to set up a connection to the CA using SCEP and specify a certificate profile.

To add a connection to a certificate authority and specify a certificate profile:

1. In the console tree, in the Managed devices folder, select the administration group to which the Android devices belong.
2. In the workspace of the group, select the Policies tab.
3. Open the policy properties window by double-clicking any column.

   Complete the following steps within 15 minutes. Otherwise, you may face an error when saving changes to the policy.

4. In the policy Properties window, select the Device owner mode > NDES and SCEP section.
5. In the Connection to certificate authority (CA) section, click Add.

   The Connection to certificate authority dialog appears.

6. Specify the following settings, and then click OK:
   • Connection name

     A unique connection name.

   • Protocol type

     A protocol version. Possible values:

     • SCEP
     • NDES (default)
   • SCEP server URL

     The URL of the SCEP server.

     For NDES, the URL has the http://<ServerName>/certsrv/mscep/mscep.dll format.

   • Challenge phrase type

     A type of challenge phrase required for authentication. Possible values:

     • None - Does not require authentication data.
     • Static - Requires entering an authentication phrase in the Static challenge phrase field. This is the default value.
   • Static challenge phrase

     Specifies the authentication phrase that is used to authenticate the device with the certificate with the SCEP server URL.

7. In the Certificate profiles section, click Add.

   The Certificate profile dialog appears.

8. Specify the following certificate profile settings and click OK:
   • Profile name

     A unique certificate profile name.

   • Certificate authority (CA)

     A certificate authority that you created in the Connection to certificate authority (CA) section.

   • Subject name

     A unique identifier that is the subject of the certificate. It includes information about what is being certified, including common name, organization, organizational unit, country code, and so on. You can either enter the value or select it from the Available macros drop-down list.

   • Private key length

     A length of the certificate private key. Possible values:

     • 1024
     • 2048 (default)
     • 4096
   • Private key type

     A type of the certificate private key. Possible values:

     • Signature (default)
     • Encryption
     • Signature and encryption
   • Renew certificate automatically

     If the check box is selected, the certificate will be automatically reissued to the device before this certificate expires. The Renew certificate before it expires (in days) field also becomes available. In this field, you need to specify the number of days before the expiration date when the certificate will be reissued.

     If the check box is cleared, the certificate will not be renewed automatically.

     The check box is cleared by default.

   • Renew certificate before it expires (in days)

     The number of days remaining until the certificate's expiration date during which a renewed certificate will be issued to the device. For example, you can specify 90 days in this field. A renewed certificate will be issued 90 days before the current certificate expires.

     This option is available and is required to be specified if the Renew certificate automatically check box is selected.

     The default value is not set.

   • Subject Alternative Names (SAN)

     An alternative name that represents the certificate subject name. You can specify multiple subject alternative names. To do this, click Add, and then specify the SAN type and SAN value options.

9. Click Apply to save the changes you have made.

Manage connections and certificate profiles

You can later edit or remove the added connections and certificate profile.

To edit a connection or certificate profile:

1. Select the needed connection or certificate profile in the corresponding section.
2. Click Edit, make the required changes, and click OK.
3. Click Apply to save the changes you have made.

After you edit the certificate profile in policy settings, the corresponding certificate on the device is deleted automatically during the next synchronization with Administration server and a new certificate is installed.

To remove a connection or certificate profile:

1. Select the needed connection or certificate profile in the corresponding section.
2. Click Delete, and then click OK.

   If you remove a certificate authority connection, all certificate profiles that use this connection are also removed.

3. Click Apply to save the changes you have made.

After you delete the certificate profile in policy settings, the corresponding certificate on the device will be deleted automatically during the next synchronization with Administration server.