Configuring a certificate template on the Cloud Extender
Follow these steps to configure the certificate template on the Cloud Extender®.
Procedure
- Open the Cloud Extender Configuration Tool and select the Certificate Integration module. If this is your first template, you will be prompted to create a new template. If you are adding an additional template, select Add New Template.
- Enter Certificate Authority Server details.
Template Name The name of your template. The template name is displayed in the MaaS360® policies under various configuration sections that use identity certificates. Hostname of SCEP server The host name of your NDES server. SCEP Server challenge type NDES requires a challenge password to authenticate certificate requests before the service issues an identity certificate. Use a static password each time or a dynamic challenge password that the Cloud Extender parses from the MSCEP Admin page.
Use one of the following values in this field:- Dynamic: The default value for Basic mode.
- Static: Used for Verizon MCS integration.
Challenge Username The credentials of the Device Administrator for SCEP transactions. Challenge Password The credentials of the Device Administrator for SCEP transactions. - Enter the certificate properties.
Option Description Subject Name Use the subject name to configure the certificate template to pass specific attributes of the user or device to the certificate request so that the returned certificate uses these values. The default string for the subject name is /CN=%uname%/emailAddress=%email%.
The template supports any of the following dynamic parameters:The template also supports the following static values:Parameter name Description %udid% The UDID of the device. %csn% The MaaS360 device ID. %uname% The user name of the device owner. %domain% The domain of the user. %email% The email address for the user. %imei% The IMEI number of the device. %model% The device model. %sim% The SIM number of the device. %phnumber% The phone number of the device. User Visibility module attributes - %ou% (Organizational Unit)
- %cn% (Common Name)
- %dc% (Domain Component)
- %dn% (Distinguished Name)
- CN (commonName)
- C (countryName)
- L (localityName)
- ST (stateOrProvinceName)
- O (organizationName)
- OU (organizationUnitName)
- G (givenName)
- S (Surname)
- I (Initials)
- UID (uniqueIdentifier)
- SN(serialNumber)
- T (title)
- D (description)
The Cloud Extender also supports User Custom Attribute variable names for the subject name of the certificate. If you define the User Custom Attribute and read its value from LDAP or set the value locally on MaaS360, you can pass this value to the certificate request.
Subject Alternate Name Use this field to uniquely identify the user for authentication. This field is one of the most common fields that is used for the subject alternative name. Use one of the following values in this field:- None
- UPN
- UPN and Email
- Other: Open ended configuration that supports all variables as the subject name.
Cache certs on Cloud Extender If the user reenrolls a device, the Cloud Extender caches certificates locally and repurposes the certificates, instead of contacting the CA for a new certificate. Use this option to select a local storage path or a UNC network path that stores certificates.
Location of Certificate Cache The local storage path or a UNC network path that stores certificates. - Test your configuration. If your test is successful you will see the following prompt: