I am trying to do Certificate Based Authentication. Our primary concern is with iOS, but Windows laptops will be next.
If I understand this correctly, we need to generate a client certificate and have it imported into both the iOS devcie and the MAG.
I am already in trouble because I can't find documentation on how to generate the certificate. I found this article:
But we are not using this for ActiveSync. The instructions have me create a profile in IPCU and then export it. But it only exports as a .mobileconfig file. How do I get the certificate?
I saw a refernnce to a conversation about using the same certificate for multiple devices. This seems like a security risk to me. Thoughts?
Ideally, we'd probably prefer to use self-signed certs for device access. And have a unique one for each device. Is this practical? (Thousands of mobile devices.) Would we need a well-know trusted authority to sign them instead? (Verisign for example.)
I tried to find these answers myself, but I'm lost. The admin guide has some gaps on critical steps. I can't find much info on configuring this from start to finish. Any help will be greatly appreicated.
Yes, using the same certificate on multiple devices is a security risk. This means if the certificate is compromised, you will need to revoke the certificate which will cause you to deploy a new certificate to all devices. Also, you will have no way to identify which user is accessing the SA/MAG device as all login will have the same identifier.
While using a self-signed certificate does save money, it will require the admin to add each self sign certificate to the SA/MAG to trust the certificate. This will include any revocation or renewal of certificate as well as the certificate will change during these processes. The recommendation would be using a private ca (you can use a Microsoft Server, install Certificate Authority snap-in and create your own CA), then issue certificate from the following CA. As far as management, you can install the Private CA to the Trusted Client CA which will allow you to trust all certificate issued from this CA and include a revocation list check.
For a certificate based authentication you first need to create / setup a CA. This can be either a Microsoft CA or any other one. If you do not need a direct AD authentication, you can use OpenSSL and TinyCA (GUI) to create the client certificates.
On the SA you only have to import the public part of the Root Certifate of your CA under "Trusted Client CAs" and set it as "Trused for Client Authentication".
After you created a client certificate, you have two ways to get it on the iOS Devices.
1)You can export the certifcate as PKCS#12 and put it on an (interal) website or cloud storage from where you can download it onto the iOS Device.
2) You can use the Apple Configuration Tool to create a profile, which contains the client certificate.
I would recommend this way, as you can do much more settings here then only import certificates.
To import the client certificate, you first have to import it on the PC where you run to the Apple Tool, as the Tool can only import certificates from the internal Windows Certificate Storage.
After creating the profile, you can use USB to get it directly on the iOS Device or you can export it as a .mobileconfig file, if you want to import it via website or cloud storage.
Hope this helps
Thanks for the quick replies. That does help, I was a little confused, and I mispoke. Let me try again:
We have a Root CA setup at my company. What I meant by Self-Signed cert was a cert signed by my company's internal CA. So I need to import the public key from our Root CA to the MAG in order to facilitate this.
I also completely misunderstood where the IPCU came into the equastion, but now I do. I am fine getting a cert down to an iOS device. My question is what is the best way to generate a cert? Should I just use a PC to generate a "client authentication" cert and have it signed by our Root CA?
I am assuming the reccomendation would be to do generate a unique cert for each device. Since the Root's Public key is recognized by the MAG, I should only have to setup the MAG once for that to work. Correct? Do most people track the cert back to the particular user for logging?
My question is what is the best way to generate a cert? Not sure there is a best way. It depends on your CA. If you are using Microsoft Certificate Services you can setup SCEP and provision the certificates directly to the iOS devices. A google search will show you several articles on how to do this.
Should I just use a PC to generate a "client authentication" cert and have it signed by our Root CA? Yes, the certificate purpose must be Client Authenticaion and be signed by your CA.
I am assuming the reccomendation would be to do generate a unique cert for each device. Since the Root's Public key is recognized by the MAG, I should only have to setup the MAG once for that to work. Correct? Yes, that is correct.
Do most people track the cert back to the particular user for logging? Yes. Sharing a client certificate would be akin to sharing a username/password. It's never a good idea. Among other things it allows you to revoke a users certificate in order to remove their VPN access.
If we are talking about deploying certificate to iOS devices, you will want to look at a MDM solution like MobileIron or Airwatch. This simplifies the whole proces. Here is a Airwatch document which explains the deployment scenarios (http://www.air-watch.com/downloads/brochures/AirWatch_White_Paper_-_AirWatch_Securing_Mobile_Devices...
If you are going to use a MS CA, you are talking about a manual process for the end user to enroll for the certificate, install the certificate and push the certificate to the device via iPCU or other means. Depending on how many devices you are managing, this process may not make a lot of sense unless we are talking about a small amount of devices. If we are talking about a medium or large enterprise, I would suggest looking into a MDM solution which will provide a streamline solution to manage devices and deploy certificates.
I would strongly agree with Kita about using an MDM solution. We originally started out using a manual process but it soon got so labour intensive we had to hire a contractor part time to process the requests while we looked at implementing the MDM solution. Even 10 users could take an hour plus to process. Remember you not only have to do it once but repeat the whole process once the certificares expire and to do this you need to be tracking the expiry dates.
This is a relatively large enterprise. We have an MDM. Deploying the certs isn't really the issue.
Right now I am just doing a proof of concept to a few devices.
Thanks for all the help. I have a cert off to our team to sign it. Once I get that back I should be able to test to make sure I understand it fully.
Does anyone have a documented list of the fields that are required for the client authentication cert?
Our admin wants to create a profile for Client Access cert requests, and is asking for documentation for what is required.
The certificate will need to be valid for the key usage of client authentication. There are no additional requirements from the SA device.