Afaria – Define certificate template for SCEP on Windows CA

Published by Tobias Hofmann on

2 min read

When you work with Afaria, you`ll sooner (iOS) or later (Android, WP) come in contact with certificates. To be more specific, with device (iOS) and user (all platforms) certificates. To make it as easy as possible to get those certificates available to the devices and users, an MDM solution makes use of SCEP. SCPE in the Microsoft world is called NDES, and is available with their CA. If you install everything following the official documentation, you`ll end up having

  1. A working environment (yeah)
  2. Most probably a certificate issue, as your users and devices get a certificate named IPSec (Offline request).

This default certificate is what Microsoft thinks fulfills most use cases of SCEP (sorry, NDES) and basically they are right. A device or user can use this certificate without problems for most of the scenarios. Most importantly, users can use it to authenticate themselves against services. It may be that

  • your security area does not like the name
  • the lifetime does not meet the requirement: its 2 years as given by Microsoft
  • it is missing some functionality
  • wrong algorithm or key length
  • or something else

All of the above points are valid and can invalidate the use of the default configuration. Which leaves you to the question: how to solve this?

To make Afaria get back from the CA a valid certificate based on a custom template, it only takes two steps:

  1. Create a template
  2. Assign template to NDES (SCEP)

With SCEP, Afaria is only consuming a service offered by CA. How the CA is treating the request, depends 100% on the CA. Therefore, no additional configuration is needed on the consuming service: Afaria. As a result of this, three steps are necessary to make Afaria get back a custom certificate:

  1. Create a certificate template
  2. Assign template to NDES (SCEP)
  3. Test
Let the world know

Tobias Hofmann

Doing stuff with SAP since 1998. Open, web, UX, cloud. I am not a Basis guy, but very knowledgeable about Basis stuff, as it's the foundation of everything I do (DevOps). Performance is king, and unit tests is something I actually do. Developing HTML5 apps when HTML5 wasn't around. HCP/SCP user since 2012, NetWeaver since 2002, ABAP since 1998.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.