Certificate authority (CA)
Last updated November 19th, 2024
Register the Certificate Authority (CA) to use the Knox Manage certificate services. Before adding the CA, first download the CA root certificate from a SCEP-supported CA server. This enables you to issue device certificates and external certificates. You can select the type of cloud connection to use for CA. The Cloud Connector is provided between the CA server and the Knox Manage server for secure data transmission. For more information about the Cloud Connector, see the Cloud Connector overview.
Add a certificate authority (CA)
To add a CA, complete the following steps:
-
Go to Advanced > Certificate > Certificate Authority (CA).
-
On the Certificate Authority (CA) page, click Add.
-
On the Add Certificate Authority page, enter the following CA information.
-
CA Name —Assign a unique name for each CA.
-
Description —Enter a description for the CA.
-
CA Type —Select a CA type. The input information varies depending on the selected CA type.
When the CA type is ADCS:
Knox Manage doesn’t support ADCS CA type in the following two cases:
- If the IP address and Web Host are configured in Site Binding.
- If the Internet Information Services (IIS) web server is configured as virtual hosting.
Item Description Host Name Enter the CA server host URL address.
For example: http(s)://emm.emmexample.com.Request Method Select a method to send the certificate validity check request to the CA.
- CERTSRV: Validity is checked with the CRL method when signing in to the user device.
- URL: Validity is checked with the OCSP method when signing in to the user device.
CA Cert Chain URL Enter the CA Cert Chain URL address.
This field is automatically entered based on the host name if the CERTSRV is selected as the request method.
WSURL Enter the registered Certificate Enrollment Web Service (CES) address to provide web service with the CA.
For more information on ADCS CA refer to your CA vendor's documentation. When a CA of type ADCS uses WSURL, the URL may vary depending on the authentication method used.
Key Algorithm Select a key algorithm type between EC and RSA. Key Length Select a key length.
The key length varies depending on the selected key algorithm type.
Auth Method Select an authentication method between User account and Certificate. User ID Enter the CA user ID. Password Enter the password for the user ID. Workstation Enter the workstation information. Domain Enter the domain name that is used on Knox Manage. Certificate Type Select a certificate type.
This field appears only when Certificate is selected as the authentication method.
Certificate KeyStore Click Browse and select a certificate file in the CER, DER, PFX, or P12 format.
This field appears only when Certificate is selected as the authentication method.
KeyStore Password Enter the password for the uploaded certificate KeyStore file.
This field appears only when Certificate is selected as the authentication method.
When the CA type is Generic SCEP or NDES:
Knox Manage doesn’t support NDES CA type in the following two cases:
- If the IP address and Web Host are configured in Site Binding.
- If the Internet Information Services (IIS) web server is configured as virtual hosting.
Item Description SCEP URL Enter the SCEP IP or URL to send the certificate validity check request to the CA.
For example, http://emm.emmexample.com/certsrv/mscep/mscep.dll.Key Algorithm Only RSA is supported when Generic SCEP and NDES CA types are selected. Key Length Select a key length from among 2048, 3072, or 4096. Challenge Type Select a challenge type to authenticate the selected CA type.
-
Dynamic: Enter the information used on the Knox Manage server for authentication configuration./p>
-
Static: Enter the challenge password.
-
No Challenge: If no challenge is selected the challenge password is not required.
The Dynamic field displays only when the selected CA Type is NDES
User ID Enter the CA user ID.
This field appears only when Dynamic is selected as the challenge type.
Password Enter the password for the user ID.
This field appears only when Dynamic is selected as the challenge type.
Domain Enter the domain name that is used on Knox Manage.
This field appears only when Dynamic is selected as the challenge type.
Challenge URL Enter the challenge URL address used on Knox Manage. This field appears only when Dynamic is selected as the challenge type.
Challenge Password Enter the same password used for the authentication password.
This field appears only when Static is selected as the challenge type.
Retry Count Select a maximum number of retry to issue certificates.
Consider the following items:
- The default value is set to 5.
- The retry count value can be between 1-10 times.
Cloud Connector Select the type of cloud connection to use for CA.
Values
- Secure Connection via Cloud Connector — This option requires installing the cloud connector.
- Direct Connection — This option supports the use of the CA of an authorized public network. (Only ports 80 and 443 can be used.)
When the CA type is CertAgent:
Item Description RAMI URL Enter the RAMI IP address or URL to send the certificate validity check request to the CA.
For example, http://emm.emmexample.com/certagentadmin/ca/rami".Key Algorithm Select a key algorithm type between EC and RSA. Key Length Select a key length.
The key length varies depending on the selected key algorithm type.
CA Account Enter the CA account ID. Certificate KeyStore Click Browse and select a certificate file in the CER, DER, PFX or P12 format. KeyStore Password Enter the password for the uploaded certificate KeyStore file. When CA type is EST:
Item Description Host Name Enter the server host IP or domain name. Port Enter the CA server host port number. CA Label Enter the CA server label.
Contact Knox Manage Technical Support for the CA label.
Key Algorithm Select a key algorithm type between EC and RSA. Key Length Select a key length.
The key length varies depending on the selected key algorithm type.
Auth Method Select an authentication method between User account and Certificate. User ID Enter the CA user ID. Password Enter the password for the user ID. Certificate KeyStore Click Browse and select a certificate file in the CER, DER, PFX or P12 format.
This field appears only when Certificate is selected as the authentication method.
KeyStore Password Enter the password for the uploaded certificate KeyStore file.
This field appears only when Certificate is selected as the authentication method.
-
Test Connection —Click to check if the entered CA information connects to the CA server successfully.
To add a CA, you must pass the connection test.
-
Managing CA —Select a CA server name from the root CA list.
-
-
Click Save.
View a certificate authority (CA)
Navigate to Advanced > Certificate > Certificate Authority (CA) to view all the CA information on the Certificate Authority (CA) page.
To view the detailed information of a specific CA, click the CA name of a specific CA on the list.
Modify a certificate authority (CA)
To modify a CA, complete the following steps:
-
Navigate to Advanced > Certificate > Certificate Authority (CA).
-
On the Certificate Authority (CA) page, click the check box for the CA you want to modify, and the click Modify.
-
On the Modify Certificate Authority page, modify the CA information. The information varies depending on the selected CA type.
You can register a new root certificate when modifying the CA.
-
Click Save.
Delete a certificate authority (CA)
To delete a CA, complete the following steps:
-
Navigate to Advanced > Certificate > Certificate Authority (CA).
-
On the Certificate Authority (CA) page, click the check box for the CA you want to delete, and the click Delete.
-
In the Delete Certificate Authority window, click OK.
You can delete the CA only when there is no template in use.
On this page
Is this page helpful?