Revoking Symantec certificates

The administrator can revoke the issued Symantec certificate authority (CA) certificates.

Cloud Extender® supports revoking issued certificates by the Symantec CA within Device View actions. Revocation support works only with certificates that are issued with the Cloud Extender 2.92+ release modules.

How this feature works

XMPP sends a certificate request from IBM® MaaS360® to the Cloud Extender. The Cloud Extender requests an X.509 certificate from the Symantec CA. Symantec CA returns a certificate. The Cloud Extender extracts the certificate Serial Number from the certificate and includes that data as the RevocationID in the payloads for each certificate. The revocation request contains the Revocation ID of the certificate to be revoked. The Cloud Extender uses the Revocation ID as the certificate Serial Number value. The Cloud Extender uses the Symantec Managed PKI API to post an UpdateCertificateStatusRequest operation to the Symantec CA. The Symantec CA revokes the certificate that is specified in the revocation request and returns a response of either Success or Failure to the Cloud Extender. The Cloud Extender reports the status of the request back to MaaS360.

Use case

Symantec certificates are revoked if a device becomes inactive. The IBM MaaS360 process to revoke certificates is as follows.
  1. The device moves to an inactive state.
  2. Requests are made to the Cloud Extender to revoke Symantec certificates for all affected payloads.
  3. If the user reinstalls MaaS360, new certificates are generated that trigger actions in the IBM MaaS360 Portal.
Note: The ENABLE_REVOKE_CERT customer property is deprecated for this release.

The following revocation actions are supported.

  • SELECTIVE_WIPE
  • WIPE
  • ADMIN_REMOVE_CONTROL
  • USER_REMOVE_CONTROL
  • INACTIVE_DEVICES (MDM_HIDE_DEVICE)
<PKIExtenderTemplates>
    <Template>
        <Id>CE2017P05k12I11E20X05T95</Id>
        <Version>1</Version>
        <Name>Symantec1</Name>
        <type>1</type>
        <certUsage>1</certUsage>
        <revokeOnInactiveDevice>Y</revokeOnInactiveDevice>
        <revokeOnWipe>Y</revokeOnWipe>
        <revokeOnSelectiveWipe>N</revokeOnSelectiveWipe>
        <revokeOnAdmRemCtrl>Y</revokeOnAdmRemCtrl>
        <revokeOnUsrRemCtrl>N</revokeOnUsrRemCtrl>
    </Template>

Certificate Revocation policy settings in the Cloud Extender Configuration Tool

The Cloud Extender Configuration Tool enables certificate revocation for each configured Symantec template. The new Enable Certificate Revocation checkbox on the Symantec Template Configuration window allows the administrator to select whether certificate revocation is enabled for a specific template.

For preexisting Symantec templates that do not display the Enable Certificate Revocation checkbox, the default is that certificate revocation is unavailable. The administrator can modify this setting in the preexisting template by editing the template and selecting the Enable Certificate Revocation checkbox.

Note: For Symantec certificates, this checkbox is a new checkbox. For Entrust and IDnomic (OpenTrust) certificates, the checkbox label is moved to the left and it replaces the previous setting, Revoke Certificate on Selective Wipe and Remove Device.
To enable certificate revocation, follow the steps.
  1. Select a checkbox under the Enable Certificate Revocation section.
  2. Save a certificate template, wait a few minutes, and then search for EMSAgent logs for PKIExtenderTemplates. You can also view the XML payload that is sent to the IBM MaaS360 Portal when a certificate template is saved.
  3. In the XML payload, five new elements and values for device certificates are displayed.
  • revokeOnInactiveDevice
  • revokeOnWipe
  • revokeOnSelectiveWipe
  • revokeOnAdmRemCtrl
  • revokeOnUsrRemCtrl