MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Thu, 02 Jul 2009 16:03:43 Z

Hi,

We have a requirement that issuing Certificate Authority server and Web Enrollment component will be hosted on two saparated server
instead of one.

Now technically its achievable but with MDM we have some queries:

1) At the time of installation of Enrollment Server where to point for Device Certificate Authority and where to point for Server Certificate Authority!

2) How Device will renew the certificate using https?

Any pointers will be appreciated.

-DK

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Thu, 02 Jul 2009 16:37:42 Z

It's no problem having the CA and the enrollment server on different servers.

1. You choose both of these during the setup wizard for the enrollment server. At least if the enrollment server is the first role you install (which I believe I read is the recommended way). The server CA is only used by the installer though - you don't have to let SCMDM do these certificates for you. (A lot easier though of course.) As long as you provide the full FQDN and instance name for the CA this should work out-of-the-box.

2. The devices will attempt to renew their certificates by communicating directly to the CA, and the enrollment server is not involved in this process.

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Fri, 03 Jul 2009 00:02:22 Z

You might have issues using a Device Certificate Authority and a Server Certificate Authority ! For Client Certificate Authentication to work you need to have the server certificates and the device certificates issue by the same CA or subordinate CA. I think the certificates need to be from the same trusted source so you might find that they have to be the same CA.

Cheers Wayne
Airloom

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Fri, 03 Jul 2009 02:18:26 Z

Andreas/Wayne,

Thanks for your inputs.

The question remains though let me rephrase for you:

1) Now At the time of Enrollment Server installation we have to specify

Device Certificate Authority - Given scenario where I have Web enrollment and ICA on separate system what should I mention here?
Server Certificate Authority - Given scenario I know that we need to specify the ICA itself not the web enrollment server.

2) Now if for device Certificate authority we specify the ICA itself [Not the web enrollment Server] the how device will renew the certificate [ As Andreas mentioned device will hit ICA directly, which actually make sense] and do we have any reason keeping web enrollment server?

Many thanks for the help and time.

-DK

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Fri, 03 Jul 2009 03:21:36 Z

ideepakkumar,

I’m guessing ICA means Intermediate Certificate Authority.

Andreas/Wayne,

Thanks for your inputs.

The question remains though let me rephrase for you:

1) Now At the time of Enrollment Server installation we have to specify

Device Certificate Authority – Enter your Intermediate Certificate Authority server.

Server Certificate Authority – Enter your Intermediate Certificate Authority server.

2) Now if for device Certificate authority we specify the ICA itself [Not the web enrollment Server] the how device will renew the certificate [ As Andreas mentioned device will hit ICA directly, which actually make sense] and do we have any reason keeping web enrollment server?

Yes you need the web enrolment server… The enrolment server requests the initial client certificate on behalf of the user. I’m a bit hazy on the renewal process, so I’d have to agree with Andreas. The devices renews the certificate with the CA directly.

Many thanks for the help and time.

-DK

Cheers Wayne
Airloom

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Fri, 03 Jul 2009 06:25:53 Z

Thanks for the quick reply Wayne.

Even we are not clear about the device renewal process as per given scenario and questioning the relevance of Web Enrollment Server!

Now what I’ve done ; After installing MDM enrollment server and pointing to ICA at the time of installation, I fired cmdlet

Get-EnrollmentServicelog

And looked for “RenewalInfo” which points to the ICA not the web enrollment [As expected]

"RenewalInfo"><parm name="ServerName" value="ICA.Domain" /><parm name="Template" value="SCMDMMo

bileDevice (InstanceName)" /><parm name="RequestPage" valu

e="/certsrv/certfnsh.asp" /><parm name="PickupPage"

value="/certsrv/certnew.cer" /><parm name="NoSSL" va

lue="1" datatype="boolean" />

Now another question is device is not going to hit web enrollment then how device will renew the cert based on above information. Will device use PKCS10 for renewal?

-DK

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Fri, 03 Jul 2009 08:04:44 Z

The device should try to contact the ICA before the certificate expires, and obviously it will fail if the device is not able to bring up the VPN tunnel or in other ways not reach the ICA. The device does not create a file, or anything like that and will try to post directly to the HTTPS interface of the ICA. I don't know if this is in PKCS10 or some other format. So it basically works the same way as when you try renewing an SSL cert on a server, or a desktop computer.

MDM and Saparating Web Enrollment from Issuing Certificate Authority Server

Sun, 05 Jul 2009 15:42:57 Z

Okie.

Thanks for the information Andreas :-)

Will capture the test results to share with you experts.

Thanks.

-DK