Configuring a certificate template for IDnomic/OpenTrust PKI

Follow these steps to complete the configuration of the IDnomic/OpenTrust PKI certificate template.


  1. From the Cloud Extender® Configuration Tool, go to the Certificate Templates window.
  2. Click Add New Template > Create New Template > User Certificate.
    The Template Configuration window is displayed.
  3. Provide the following information for the template:
    Option Description
    Template Name The name of your IDnomic/OpenTrust PKI template. The template name is displayed in the MaaS360® policies under various configuration sections that use identity certificates.
    Type Use the IDnomic - Mobile Guard type for IDnomic/OpenTrust PKI CA integration.
    Web Service URL The web service URL for the IDnomic/OpenTrust PKI CA.

    See the vendor documentation for information on how to obtain this URL.

    Authentication certificate path The path for the authentication certificate that is used by the Cloud Extender to authenticate to the PKI server. This certificate is issued by the PKI server on the console.

    See the vendor documentation for information on how to obtain this certificate.

    Authentication certificate password The password that is used to encrypt the authentication certificate (p12).
    Profile Name The profile from the MDM service that contains the SCEP parameters (SCEP URL and challenge) that are used to issue the certificate on the device.
    Mandatory fields and Mandatory Fields Replacement Replace %REPLACE% with supported variables in MaaS360 to include specific attributes in the certificate request.
    Revoke Certificate on Selective Wipe & Remove Device Select whether to revoke a certificate when a device is wiped and removed.
    Renewal Period (Days) The number of days to try to renew the certificate before the certificate expires. The default value is 14 days.

    For example, if a certificate is valid for one year, 14 days before the end of that year, the Cloud Extender attempts to renew the certificate. The Cloud Extender attempts two renewals per certificate per week.

  4. Click Save.
  5. Verify that the template name appears in the MaaS360 policies under the following sections:
    • MDM > Exchange ActiveSync > Identity Certificates
    • MDM > Wi-Fi > Identity Certificates
    • MDM > VPN > Identity Certificates
    • Persona > Email > Authentication Type & Identity Certificates
    • Persona > Enterprise Gateway > Authentication Type & Identity Certificate for gateway authentication
    • Persona > Enterprise Gateway > Identity Certificate for resource authentication
    When these policies are assigned to a device, the platform triggers certificate requests to the Cloud Extender and then pushes the payload to the device when the Cloud Extender receives the certificates.