Menu

Certificate authority (CA)

Register the Certificate Authority (hereinafter CA) to use the Knox Manage certificate services. Before adding the CA, first download the CA root certificate from a SCEP-supported CA server. This also enables you to issue device certificates and external certificates. The Cloud Connector is provided between the CA server and the Knox Manage server for secure data transmission. For more information about the Cloud Connector, see the Cloud Connector overview.

Add a certificate authority (CA)

To add a CA, complete the following steps:

  1. Navigate to Advanced > Certificate > Certificate Authority (CA).

  2. On the “Certificate Authority (CA)” page, click Add.

  3. On the “Add Certificate Authority” page, enter the following CA information.

    • CA Name: Assign a unique name for each CA.

    • Description: Enter a description for the CA.

    • CA Type: Select a CA type. The input information varies depending on the selected CA type.

      When the CA type is ADCS:

      Item
      Description
      Host Name
      Enter the CA server host URL address.
      e.g. http://emm.smartemm.com/
      Request Method
      Select a method to send the certificate validity check request to the CA.
      • CERTSRV: Validity is checked with the CRL method when logging into the user device.
      • URL: Validity is checked with the OCSP method when logging into the user device.
      CA Cert Chain URL
      Enter the CA Cert Chain URL address.

      NOTEThis field is automatically entered based on the host name if the CERTSRV is selected as the request method.

      WSURL
      Enter the registered Certificate Enrollment Web Service (CES) address to provide web service with the CA.
      Key Algorithm
      Select a key algorithm type between EC and RSA.
      Key Length
      Select a key length.

      NOTE—The key length varies depending on the selected key algorithm type.

      Auth Method
      Select an authentication method between User account and Certificate.
      User ID
      Enter the Knox Manage user ID.
      Password
      Enter the password for the user ID.
      Workstation
      Enter the workstation information.
      Domain
      Enter the domain name that is used on Knox Manage.
      Certificate Type
      Select a certificate type.

      NOTE—This field appears only when Certificate is selected as the authentication method.

      Certificate KeyStore
      Click Browse and select a certificate file in the CER, DER, PFX, or P12 format.

      NOTE—This field appears only when Certificate is selected as the authentication method.

      KeyStore Password
      Enter the password for the uploaded certificate KeyStore file.

      NOTE—This field appears only when Certificate is selected as the authentication method.

      When the CA type is Generic SCEP or NDES:

      Item Description
      SCEP URL
      Enter the SCEP IP or URL to send the certificate validity check request to the CA.
      e.g. http://emm.smartemm.com/certsrv/mscep/mscep.dll
      Key Algorithm
      Only RSA is supported when Generic SCEP and NDES CA types are selected.
      Key Length
      Select a key length from among 2048, 3072, or 4096.
      Challenge Type
      Select a challenge type to authenticate the selected CA type.
      • Dynamic: Enter the information used on the Knox Manage server for authentication configuration.

      • Static: Enter the challenge password.

      • No Challenge: If no challenge is selected the challenge password is not required.

        NOTE—The Dynamic field is enabled only when the NDES type CA is selected.

      User ID
      Enter the Knox Manage user ID.

      NOTE—This field appears only when Dynamic is selected as the challenge type.

      Password
      Enter the password for the user ID.

      NOTE—This field appears only when Dynamic is selected as the challenge type.

      Domain
      Enter the domain name that is used on Knox Manage.

      NOTE—This field appears only when Dynamic is selected as the challenge type.

      Challenge URL
      Enter the challenge URL address used on Knox Manage.
      Challenge Password
      Enter the same password used for the authentication password.

      NOTE—This field appears only when Static is selected as the challenge type.

      Retry Count

      Select a maximum number of retry to issue certificates.

      NOTE

      • The default value is set to 5.
      • The retry count value can be between 1 – 10 times.

      When the CA type is CertAgent:

      Item Description
      RAMI URL
      Enter the RAMI IP address or URL to send the certificate validity check request to the CA.
      e.g. http://emm.smartemm.com/certagentadmin/ca/rami
      Key Algorithm
      Select a key algorithm type between EC and RSA.
      Key Length
      Select a key length.

      NOTE—The key length varies depending on the selected key algorithm type.

      CA Account
      Enter the CA account ID.
      Certificate KeyStore
      Click Browse and select a certificate file in the CER, DER, PFX or P12 format.
      KeyStore Password
      Enter the password for the uploaded certificate KeyStore file.

      When CA type is EST:

      Item Description
      Host Name
      Enter the CA server host URL address.
      Port
      Enter the CA server host port number.
      Use proxy
      Click the Use proxy checkbox to enable proxy use for the CA server.
      CA Label
      Enter the CA server label.

      NOTE—Contact Knox Manage Technical Support for the CA label.

      Key Algorithm
      Select a key algorithm type between EC and RSA.
      Key Length
      Select a key length.

      NOTE—he key length varies depending on the selected key algorithm type

      Challenge Password
      Enter the password for the CA server authentication.
      Auth Method
      Select an authentication method between User account and Certificate.
      User ID
      Enter the Knox Manage user ID.
      Password
      Enter the password for the user ID.
      Certificate KeyStore
      Click Browse and select a certificate file in the CER, DER, PFX or P12 format.

      NOTE—This field appears only when Certificate is selected as the authentication method.

      KeyStore Password
      Enter the password for the uploaded certificate KeyStore file.

      NOTE—This field appears only when Certificate is selected as the authentication method.

    • Test Connection: Click to check if the entered CA information connects to the CA server successfully.

      NOTE— To add a CA, you must pass the connection test.

    • Managing CA: Select a CA server name from the root CA list.

  4. Click Save.

View a certificate authority (CA)

Navigate to Advanced > Certificate > Certificate Authority (CA) to view all the CA information on the “Certificate Authority (CA)” page.

To view the detailed information of a specific CA, click the CA name of a specific CA on the list.

Modify a certificate authority (CA)

To modify a CA, complete the following steps:

  1. Navigate to Advanced > Certificate > Certificate Authority (CA).

  2. On the “Certificate Authority (CA)” page, click the checkbox for the CA you want to modify, and the click Modify.

  3. On the “Modify Certificate Authority” page, modify the CA information. The information varies depending on the selected CA type.

    NOTE— You can register a new root certificate when modifying the CA.

  4. Click Save.

Delete a certificate authority (CA)

To delete a CA, complete the following steps:

  1. Navigate to Advanced > Certificate > Certificate Authority (CA).

  2. On the “Certificate Authority (CA)” page, click the checkbox for the CA you want to delete, and the click Delete.

  3. In the “Delete Certificate Authority” window, click OK.

    NOTE— You can delete the CA only when there is no template in use.