If you use a SCEP server for your certificate management, you can create SCEP profiles on the Cortado server. Using these profiles, the users’ mobile devices can automatically request client certificates (SSL) from the SCEP server. These are then loaded onto the devices. This ensures that only devices with matching client certificates can log in to the corporate Wi-Fi or onto the exchange server. You can then select the SCEP profiles in the Exchange or Wi-Fi profiles.
- First proceed as described here.
- Then select SCEP as the profile that you want to add. The following dialog will open.
Make the following settings:
- Profile name: Enter a name for the profile here.
- Display name: Enter the name of the profile, as you want it displayed to the users.
- URL: Enter the URL of the SCEP server here. Please note that for a Microsoft SCEP server the following term is placed after the server address: https://servername/certsrv/mscep/mscep.dll.
- Subject: Enter the name of the certificate. Use wildcards, so the name will be inserted automatically (e.g. CN=#userprincipalname#)
- Subject alternative name type: Here you can choose between None, RFC 822 Name (for user certificates), DNS Name and Uniform Resource Identifier (for both device and server certificates).
- Subject alternative name value: If necessary, insert an alternative certificate name here. Use wildcards for this (e.g. #useremailadress#).
- NT principal name: Enter the UPN.
- SCEP server challenge: Enter the challenge password here. If you select the Autofill option, the challenge password will be read and entered here automatically.
- SCEP server challenge URL: Enter the URL from which the challenge password is to be read. Please note that for a Microsoft SCEP server the following is placed after the server address: /certsrv/mscep_admin.
- SCEP server challenge pattern: This is the search pattern (regular expression) for reading the challenge password. With SCEP servers running Windows, keep the default value.
- SCEP server fingerprint: Enter the thumbprint of the issuing certificate authority here. You’ll find this in the root certificate of your SCEP server.
- SCEP server fingerprint pattern: This is the search pattern (regular expression) for the thumbprint of the root certificate.
- Retries: Here you can set how many times a connection search to the SCEP server will be retried, if the connections fail.
- Retry delay: Here you can set the delay time in seconds between subsequent retries.
- Key size: Enter the value for the key size here.
- Use as digital signature: Enable this checkbox, if you want the certificate being issued to be used as a digital signature.
- Use for key encipherment: Enable this checkbox if using a certificate with a protocol that encrypts keys.
Now you can distribute the newly created profile to users / groups / devices.
- To do this, select the desired profile in the left-hand column of the management console and click Assign.
- Now select the users, group templates or devices to whom you want to assign this profile.
Note! You can also assign the profiles under Control Panel→ Users or Group Templates.