Certificate Integration module

The Certificate Integration module allows users to use their existing Certificate Authority (CA) and auto-provision device and user certificates to enrolled devices. Certificates are used for email, wifi, VPN, or Secure Mail authentication.

The Cloud Extender® interacts with the CA, and then pushes the issued certificates down to enrolled devices by using the following method:
  1. Receives certificate requests from the IBM® MaaS360® Portal for all enrolled devices that require an identity certificate.
  2. Authenticates against the Certificate Authority (CA) or Registration Authority (RA) as a part of the certificate request process.
  3. Requests ID certificates by passing the details of the device or user and corresponding attributes as a part of the certificate request.
  4. Encrypts the received certificate by using the public key of the requesting device and pushes the encrypted payload to the IBM MaaS360 Portal, which is then delivered to the device.
  5. Supports automatic renewals of certificates and ensures that devices receive the new certificates before the current certificate expires.
    Certificate Authority integration
Note: For Windows 10+ tablets, the Cloud Extender password protects the certificate, encrypts the password by using the public key of the requesting device, and pushes the encrypted payload to the IBM MaaS360 Portal. When the MaaS360 platform receives the password protected certificates (as part of the policy), MaaS360 uses the Windows 10+ MDM API to push the encrypted payload to the tablet.

Supported CA versions

The Cloud Extender integrates with the following certificate authorities:
  • Microsoft CA installed on 2003, 2008 R2, or 2012 R2
    Requires NDES 2008+ (supports only the English version of the NDES server)
  • Symantec Managed PKI
  • Entrust Identity Guard and Admin Services
  • Verizon MCS PKI

The Cloud Extender must be configured with a certificate template that contains information about the CA server and administrative credentials to authenticate and request device certificates. All types of devices (iOS, Android, Windows Phone, and Mac OS X) that are enrolled in MaaS360 support certificate delivery.

System requirements

Before you begin the installation, make sure that your environment meets the following minimum requirements:
  • Microsoft Windows 2016 or later for the Cloud Extender installation
  • .NET 3.5 or higher
  • Microsoft: Network Device Enrollment Service (NDES) set up on 2008+ server (supports only the English version of the NDES server)
  • Symantec: Administrative access to the Symantec PKI hosted solution
  • Entrust: Administrative access to Entrust IdentityGuard Server v10.1 or v10.2, or Entrust Admin Services v8.2 SP1 or v8.3
  • Verizon MCS: Administrative access to the Verizon MCS console
  • High Availability (HA) requirements:
    • Windows File Share access from the High Availability Cloud Extenders for certificate caching
    • Required for Microsoft and Symantec PKI only

Scaling

The Cloud Extender for Certificate Integration can run in Active-Active High Availability (HA) mode. You must import the same certificate template from one Cloud Extender onto all other nodes that are running in HA mode. Set up additional HA Cloud Extenders for every 10,000 devices that are enrolled in the system.

Example: If 10,000 devices require certificates, install two Cloud Extenders in HA mode. For additional 10,000 devices, install anotherCloud Extender for certificates. If you have 50,000 enrolled devices that require certificates, install six Cloud Extenders for scaling and HA. The IBM MaaS360 Portal round robins certificate requests between active and connected Cloud Extenders.

Table 1. Scaling requirements for the Certificate Authority Integration module
Item Requirement
Less than 10,000 devices CPU: 2 cores
Memory: 4 GB
More than 10,000 devices Scaling:
  • Supports installation on multiple instances of the Cloud Extender with High Availability (HA).
  • Install on a dedicated Cloud Extender or enabled on Cloud Extender with the User Visibility or User Authentication services enabled.

For accurate scaling of your environment, see the Cloud Extender scaling document at Setup > Services > Enterprise Integration.

Device certificates or user certificates

From a device perspective, all certificates are treated as user certificates. The Cloud Extender issues device certificates or user certificates to devices based on the certificate template that is defined on the Cloud Extender.

Note: For an environment that uses multiple Cloud Extenders, all certificate templates must reside on every Cloud Extender that uses PKI certificates.
The following table lists the differences between device certificates and user certificates:
Certificate Description
Device
  • The Cloud Extender generates a certificate based on requirements and pushes that certificate to the device.
  • The Cloud Extender uses certificate templates to pass user attributes as part of the Subject Name / Alternate Name, which links the certificate to the user and is used as a device certificate.
  • Devices treat all certificates as user certificates.
  • Most common used certificate template type that supports Microsoft, Symantec, Entrust, and Verizon MCS.
  • Mostly used for authentication.
User
  • Requires that the certificate is present on the Active Directory for the user.
  • Additional requirements to set up key recovery for extracting the private key for the certificate.
  • The Cloud Extender can look up the certificate only if the certificate exists. The Cloud Extender cannot generate missing certificates.
  • Supported only by Microsoft CA.
  • Mostly used for S/MIME certificates to deliver signing and encryption certificates. Related information: Multiple S/MIME certificate support in Active Directory
  • For user certificates that are used for authentication, choose the device certificate template and provide user attributes to pass to the CA for certificate generation.