Apr 15, 2011 10:31:36 AM
Using CSS’ Certificate Management System (CMS) to help manage certificates for iPads and iPhones

Part 2 of Apple’s iOS Devices and Certificate Lifecycle Planning blog.

CSS created the Certificate Management System (CMS) - formerly Certificate Reporting Tool (CRT) as referenced throughout this blog - a few years ago, to help organizations get a better handle on certificate expiration. Below are examples of two different architectures that leverage CMS to help with certificate issuance and renewal for iOS-based certificates.

Option 1: Enrollment station

This solution assumes a requirement for manually inspecting the security settings of a device before allowing it to interact with corporate data.

Figure 1 – Manual Inspection and Issuance


The general flow would go as follows:

  1. A designated enterprise security person inspects the configuration of the mobile device for compliance with policy (e.g. passcode, encryption and/or wipe capability, etc.), obtains a SCEP one-time-password “challenge” from the SCEP server.
  2. Using the iPhone Configuration Utility (iPCU), the security person configures an iOS profile with the user’s information and the SCEP challenge, and configures the user’s device.
  3. As directed by the new profile, the user’s iPad or iPhone contacts the enterprise SCEP server, and requests and installs the new certificate.
  4. The certificate can then be used to authenticate enterprise wireless, VPN, or ActiveSync connections as needed. CSS’ Certificate Reporting Tool (CRT) continually monitors the CAs in the enterprise PKI, looking for certificates that are approaching expiration.
  5. In a year or two, when the user’s certificate nears expiration, an email is sent to the user (and/or the security person), letting them know that they will need to repeat steps 1 through 3.

 

Option 2: Leveraging the CRT iOS Add-On

CSS has created an add-on component to the Certificate Reporting Tool that leverages the use of customized plug-ins to streamline the certificate enrollment and renewal effort.

Figure 2 – CSS’ CRT iOS Solution

The general usage flows as follows:

  1. A designated enterprise security person uses the CRT iOS Enrollment Software to select an individual, or group of individuals, for enrollment.
  2. The Enrollment Software contacts the SCEP server to obtain the one-time SCEP enrollment challenge, and uses the iPCU scripting functionality to automatically create an iOS profile with the proper information. Relevant user information such as Common Name, and Subject Alternative Name are pulled from Active Directory and included in the configuration.
  3. This profile is delivered to the CRT iOS web application server and an email is sent to the user to tell them that the system is ready to enroll their device.
  4. The user visits the SSL-protected CRT iOS website using the Safari browser on their device, and authenticates with their Active Directory credentials.
  5. As directed by the profile, the user’s device creates an RSA key pair, contacts the enterprise SCEP server, and then requests and installs its certificate using the one-time challenge.
  6. The certificate can then be used to authenticate enterprise wireless, VPN, or ActiveSync connections as needed. CSS’ Certificate Reporting Tool (CRT) continually monitors the CAs in the enterprise PKI, looking for certificates that are approaching expiration.
  7. In a year or two, when the user’s certificate nears expiration, CRT automatically calls back into the CRT iOS Enrollment Software, and steps 2 through 5 are repeated without the need for administrative intervention.