Certificate Integration module
The Certificate Integration module allows users to use their existing Certificate Authority (CA) and auto-provision device and user certificates to enrolled devices. Certificates are used for email, wifi, VPN, or Secure Mail authentication.
- Receives certificate requests from the MaaS360® Portal for all enrolled devices that require an identity certificate.
- Authenticates against the Certificate Authority (CA) or Registration Authority (RA) as a part of the certificate request process.
- Requests ID certificates by passing the details of the device or user and corresponding attributes as a part of the certificate request.
- Encrypts the received certificate by using the public key of the requesting device and pushes the encrypted payload to the MaaS360 Portal, which is then delivered to the device.
- Supports automatic renewals of certificates and ensures that devices receive the new
certificates before the current certificate expires.
Supported CA versions
- Microsoft CA installed on 2003, 2008 R2, or 2012
Requires NDES 2008+ (supports only the English version of the NDES server)
- Symantec Managed PKI
- Entrust Identity Guard and Admin Services
- Verizon MCS PKI
The Cloud Extender must be configured with a certificate template that contains information about the CA server and administrative credentials to authenticate and request device certificates. All types of devices (iOS, Android, Windows Phone, and Mac OS X) that are enrolled in MaaS360 support certificate delivery.
- Microsoft Windows 2016+ for the Cloud Extender installation
- .NET 3.5 or higher
- Microsoft: Network Device Enrollment Service (NDES) set up on 2008+ server (supports only the English version of the NDES server)
- Symantec: Administrative access to the Symantec PKI hosted solution
- Entrust: Administrative access to Entrust IdentityGuard Server v10.1 or v10.2, or Entrust Admin Services v8.2 SP1 or v8.3
- Verizon MCS: Administrative access to the Verizon MCS console
- High Availability (HA) requirements:
- Windows File Share access from the High Availability Cloud Extenders for certificate caching
- Required for Microsoft and Symantec PKI only
The Cloud Extender for Certificate Integration can run in Active-Active High Availability (HA) mode. You must import the same certificate template from one Cloud Extender onto all other nodes that are running in HA mode. Set up additional HA Cloud Extenders for every 10,000 devices that are enrolled in the system.
Example: If 10,000 devices require certificates, install two Cloud Extenders in HA mode. For additional 10,000 devices, install anotherCloud Extender for certificates. If you have 50,000 enrolled devices that require certificates, install six Cloud Extenders for scaling and HA. The MaaS360 Portal round robins certificate requests between active and connected Cloud Extenders.
|Less than 10,000 devices||CPU: 2 cores
Memory: 4 GB
|More than 10,000 devices||Scaling:
For accurate scaling of your environment, see the Cloud Extender scaling document at .
Device certificates or user certificates
From a device perspective, all certificates are treated as user certificates. The Cloud Extender issues device certificates or user certificates to devices based on the certificate template that is defined on the Cloud Extender.