Do you use self-signed certificates for the Cortado server and don’t have an SCEP or NDES server in operation? In this How To you will learn how you can, nonetheless, use client certificates to authenticate your mobile devices to infrastructure components (e.g. to a WiFi access point, an exchange server or a VPN server), using an exchange profile as an example.
Aim
You want to manage your users’ exchange accounts via MDM. In the process, communication between the mobile devices and the exchange server should also be secured by client certificates. That means that the mobile devices must authenticate themselves to the exchange server with client certificates. You can use the Cortado server to distribute the client certificates, along with an exchange profile, to your users’ devices.
Implementation
- Firstly, create a store of client certificates for your users and place them in a directory that can be accessed by the Cortado server. The certificates should be in .pfx format and all have the same password. Name the certificates according to the user UPN.
- Next create a new certificate profile in the Cortado Administration Portal under Administration→ Profiles (left arrow in illus.).
- Then select Global Profiles→ Certificate (right arrow in illus.).
- Enter a Display name of your choice for your certificate profile.
- Select One certificate for each profile user (left arrow in illus.).
- Now enter the path to the folder with the .pfx files (right arrow in illus.) and the certificate password (middle arrow in illus.).
- Then create an exchange profile (for example, for iOS) under Administration→ Profiles.
- Under Exchange ActiveSync host, enter the address of your exchange server (left arrow in illus.).
- Under Identity certificate, select the previously created certificate profile (right arrow in illus.).
- Then select the profile (lower arrow in illus.) and click on Assign (upper arrow in illus.) to assign it to the relevant users/groups/devices.
Now, as soon as a user checks his email, the Cortado server retrieves the matching client certificate from the specified directory and sends it to the exchange server.