Completing the Symantec PKI certificate template configuration

Follow these steps to complete the configuration of the Symantec PKI certificate template.


  1. From the Template Configuration window, click Already have a RA certificate.
  2. From the Import RA Certificate File field, browse for the location of the RA certificate that you downloaded from Symantec.
    After you select the RA certificate file, the configuration tool populates the values in the following fields:
    • Import RA Certificate PEM File
    • Import RA Certificate Key File
    • RA Certificate Key Password
    The Template Configuration window also provides the following information:
    Option Description
    Type Use the SCEP type for Symantec CA integration.
    Subject Name Use the subject name to configure the certificate template to pass specific attributes of the user or device to the certificate request so that the returned certificate uses these values.

    The default string for the subject name is /CN=%uname%/emailAddress=%email%.

    The template supports any of the following dynamic parameters:
    Parameter name Description
    %udid% The UDID of the device.
    %csn% The MaaS360® device ID.
    %uname% The user name of the device owner.
    %domain% The domain of the user.
    %email% The email address for the user.
    %imei% The IMEI number of the device.
    %model% The device model.
    %sim% The SIM number of the device.
    %phnumber% The phone number of the device.
    User Visibility module attributes
    • %ou% (Organizational Unit)
    • %cn% (Common Name)
    • %dc% (Domain Component)
    • %dn% (Distinguished Name)
    The template also supports the following static values:
    • CN (commonName)
    • C (countryName)
    • L (localityName)
    • ST (stateOrProvinceName)
    • O (organizationName)
    • OU (organizationUnitName)
    • G (givenName)
    • S (Surname)
    • I (Initials)
    • UID (uniqueIdentifier)
    • SN(serialNumber)
    • T (title)
    • D (description)

    The Cloud Extender® also supports User Custom Attribute variable names for the subject name of the certificate. If you define the User Custom Attribute and read its value from LDAP or set the value locally on MaaS360, you can pass this value to the certificate request.

    Subject Alternative Name Type Use this field to uniquely identify the user for authentication. This field is one of the most common fields that is used for the subject alternative name.
    Use one of the following values in this field:
    • None
    • UPN
    • UPN and Email
    • Other: Open ended configuration that supports all variables as the subject name.
    Key Type The type of key that is used to generate certificates. Default key type: RSA
    Key Size The size of the private key that is used for generated certificates. The key size must match your template on NDES. Default key size: 2048, but also supports 1024 and 4096.
    Key Usage The key usage for the generated keys. Default key usage: Digital Signature and Key Encipherment usages
    CA Signature Algorithm The default is SHA-256, but the Cloud Extender also supports other algorithms. The algorithm must match your template on NDES.
    CA Encryption Algorithm The default is 3-DES, but the Cloud Extender also supports DES and Blowfish.
    Save Generate Certificates If the user reenrolls a device, the Cloud Extender caches certificates locally and repurposes the certificates, instead of contacting the CA for a new certificate.

    Use this option to select a local storage path or a UNC network path that stores certificates.

    Certificate Storage Path The path for the certificate.

    You can use a local path standalone instance of the Cloud Extender, but you must use a network share for High Availability mode.

    Renewal Period (days) The number of days to try to renew the certificate before the certificate expires. The default value is 14 days.

    For example, if a certificate is valid for one year, 14 days before the end of that year, the Cloud Extender attempts to renew the certificate. The Cloud Extender attempts two renewals per certificate per week.

    Retry Duration (days) If a certificate request fails, the Cloud Extender retries the certificate request every 15 minutes. This setting specifies the number of days that the Cloud Extender tries to renew the certificate before it marks the renewal request as a failure.

    If you have a maintenance window of 8 hours for your CA environment, the retry automatically issues certificates when the CA is back from maintenance. Set this value to three days at the minimum.

  3. Click Save.