MDM and Saparating Web Enrollment from Issuing Certificate Authority Server
- Hi,
We have a requirement that issuing Certificate Authority server and Web Enrollment component will be hosted on two saparated server
instead of one.
Now technically its achievable but with MDM we have some queries:
1) At the time of installation of Enrollment Server where to point for Device Certificate Authority and where to point for Server Certificate Authority!
2) How Device will renew the certificate using https?
Any pointers will be appreciated.
-DK
Answers
- It's no problem having the CA and the enrollment server on different servers.
1. You choose both of these during the setup wizard for the enrollment server. At least if the enrollment server is the first role you install (which I believe I read is the recommended way). The server CA is only used by the installer though - you don't have to let SCMDM do these certificates for you. (A lot easier though of course.) As long as you provide the full FQDN and instance name for the CA this should work out-of-the-box.
2. The devices will attempt to renew their certificates by communicating directly to the CA, and the enrollment server is not involved in this process.- Marked As Answer byWayne Phillips.MVP, ModeratorFriday, October 09, 2009 12:54 AM
- ideepakkumar,
I’m guessing ICA means Intermediate Certificate Authority.
Andreas/Wayne,
Thanks for your inputs.
The question remains though let me rephrase for you:
1) Now At the time of Enrollment Server installation we have to specify
Device Certificate Authority – Enter your Intermediate Certificate Authority server.
Server Certificate Authority – Enter your Intermediate Certificate Authority server.
2) Now if for device Certificate authority we specify the ICA itself [Not the web enrollment Server] the how device will renew the certificate [ As Andreas mentioned device will hit ICA directly, which actually make sense] and do we have any reason keeping web enrollment server?
Yes you need the web enrolment server… The enrolment server requests the initial client certificate on behalf of the user. I’m a bit hazy on the renewal process, so I’d have to agree with Andreas. The devices renews the certificate with the CA directly.
Many thanks for the help and time.
-DK
Cheers Wayne
Airloom- Marked As Answer byWayne Phillips.MVP, ModeratorFriday, October 09, 2009 12:54 AM
- Edited byWayne Phillips.MVP, ModeratorFriday, July 03, 2009 3:22 AMtpo
The device should try to contact the ICA before the certificate expires, and obviously it will fail if the device is not able to bring up the VPN tunnel or in other ways not reach the ICA. The device does not create a file, or anything like that and will try to post directly to the HTTPS interface of the ICA. I don't know if this is in PKCS10 or some other format. So it basically works the same way as when you try renewing an SSL cert on a server, or a desktop computer.
- Marked As Answer byWayne Phillips.MVP, ModeratorFriday, October 09, 2009 12:55 AM
All Replies
- It's no problem having the CA and the enrollment server on different servers.
1. You choose both of these during the setup wizard for the enrollment server. At least if the enrollment server is the first role you install (which I believe I read is the recommended way). The server CA is only used by the installer though - you don't have to let SCMDM do these certificates for you. (A lot easier though of course.) As long as you provide the full FQDN and instance name for the CA this should work out-of-the-box.
2. The devices will attempt to renew their certificates by communicating directly to the CA, and the enrollment server is not involved in this process.- Marked As Answer byWayne Phillips.MVP, ModeratorFriday, October 09, 2009 12:54 AM
You might have issues using a Device Certificate Authority and a Server Certificate Authority ! For Client Certificate Authentication to work you need to have the server certificates and the device certificates issue by the same CA or subordinate CA. I think the certificates need to be from the same trusted source so you might find that they have to be the same CA.
Cheers Wayne
AirloomAndreas/Wayne,
Thanks for your inputs.
The question remains though let me rephrase for you:
1) Now At the time of Enrollment Server installation we have to specify
Device Certificate Authority - Given scenario where I have Web enrollment and ICA on separate system what should I mention here?
Server Certificate Authority - Given scenario I know that we need to specify the ICA itself not the web enrollment server.
2) Now if for device Certificate authority we specify the ICA itself [Not the web enrollment Server] the how device will renew the certificate [ As Andreas mentioned device will hit ICA directly, which actually make sense] and do we have any reason keeping web enrollment server?
Many thanks for the help and time.
-DK- ideepakkumar,
I’m guessing ICA means Intermediate Certificate Authority.
Andreas/Wayne,
Thanks for your inputs.
The question remains though let me rephrase for you:
1) Now At the time of Enrollment Server installation we have to specify
Device Certificate Authority – Enter your Intermediate Certificate Authority server.
Server Certificate Authority – Enter your Intermediate Certificate Authority server.
2) Now if for device Certificate authority we specify the ICA itself [Not the web enrollment Server] the how device will renew the certificate [ As Andreas mentioned device will hit ICA directly, which actually make sense] and do we have any reason keeping web enrollment server?
Yes you need the web enrolment server… The enrolment server requests the initial client certificate on behalf of the user. I’m a bit hazy on the renewal process, so I’d have to agree with Andreas. The devices renews the certificate with the CA directly.
Many thanks for the help and time.
-DK
Cheers Wayne
Airloom- Marked As Answer byWayne Phillips.MVP, ModeratorFriday, October 09, 2009 12:54 AM
- Edited byWayne Phillips.MVP, ModeratorFriday, July 03, 2009 3:22 AMtpo
Thanks for the quick reply Wayne.
Even we are not clear about the device renewal process as per given scenario and questioning the relevance of Web Enrollment Server!
Now what I’ve done ; After installing MDM enrollment server and pointing to ICA at the time of installation, I fired cmdlet
Get-EnrollmentServicelogAnd looked for “RenewalInfo” which points to the ICA not the web enrollment [As expected]
"RenewalInfo"><parm name="ServerName" value="ICA.Domain" /><parm name="Template" value="SCMDMMo
bileDevice (InstanceName)" /><parm name="RequestPage" valu
e="/certsrv/certfnsh.asp" /><parm name="PickupPage"
value="/certsrv/certnew.cer" /><parm name="NoSSL" va
lue="1" datatype="boolean" />
Now another question is device is not going to hit web enrollment then how device will renew the cert based on above information. Will device use PKCS10 for renewal?
-DKThe device should try to contact the ICA before the certificate expires, and obviously it will fail if the device is not able to bring up the VPN tunnel or in other ways not reach the ICA. The device does not create a file, or anything like that and will try to post directly to the HTTPS interface of the ICA. I don't know if this is in PKCS10 or some other format. So it basically works the same way as when you try renewing an SSL cert on a server, or a desktop computer.
- Marked As Answer byWayne Phillips.MVP, ModeratorFriday, October 09, 2009 12:55 AM
- Okie.
Thanks for the information Andreas :-)
Will capture the test results to share with you experts.
Thanks.
-DK
