- Methods of Certificate Issuance
- Certificate Delivery
- Certificate Revocation
- Certificate Renewal
- To create a credential provider using discretionary CA entities
- To create a credential provider using external PKI entities
You can further opt to have a notification sent when the revocation action is undertaken; to do so, simply configure a notification template for the appropriate event type ('Certificate revoke').
In addition to these conditions, since the certificates obtained through this configuration will have come from an external source, you can opt to propagate the revocation status externally (the common case would be to propagate it to the PKI that issued the certificates, but your choice is not restricted in that matter). The propagation is achieved using a GPKI entity with the revoke capability; the interface will propose you the list of revoke-capable GPKI entities that exist in the system. If the selected entity defines user-parameters for the revoke operation, you will be prompted to enter values for them. You can use Device Manager macros for the values.
In this tab, you can configure the system to perform external certificate status checks for certificates issued through this CredentialProvider configuration. The checks are performed using the OCSP protocol  and take place when a deployment is initiated. For the checks to occur, the back-end PKI must insert corresponding OCSP responder address extensions (ASN.1 OID: 188.8.131.52.184.108.40.206.1) in the certificates it issues. If that is not the case, the setting will be silently ignored
As part of the OCSP protocol, the initiator of the OCSP request (in this case, XenMobile) must be able to validate the OCSP responder’s (likely your PKI server) signing certificate. To that effect, as part of the external revocation check configuration, you must specify the CA certificate of your PKI’s OCSP Responder’s signing certificate. The CA certificate must be uploaded to the Server Certificates repository so that you can select it in the drop down. Its private key is not required for this purpose.
Note that OCSP Responder certificates are usually either the CA certificate itself (that is, the CA that signed the certificate the status of which is queried), or a certificate signed directly by that CA. It that sense, specifying that CA certificate in this section will usually be adequate.
You can further define what actions XenMobile should undertake in the event that the OCSP verification yields a status indicating that the certificate in question was revoked. If that is the case, you can opt to:
In addition to the action you opt for, you can choose to have a notification sent in that case, by selecting a notification template for the appropriate event type (Certificate revoked by PKI). The external revocation and the internal revocation configured in the tab before are complementary, in the sense that if the external revocation check yields a revoked status and you have opted, for instance, to revoke the entire enrollment in that case, then the settings you have specified in the Revocation XenMobile tab will apply to all other certificates present on the device. The same thing goes for all certificates that were part of the same configuration if you have merely chosen to remove the configuration the certificate was deployed as a part of.
To have notifications sent for either case, simply specify a Notification Template for the appropriate event type. The event type for the former is Certificate is renewed; for the latter, Certificate will expire. XenMobile will create default Notification Templates for both these event types, but you can modify them or create new ones.
It is important to note that renewal takes precedence over notification before renewal. That is, if at a given moment XenMobile determines that a certificate must be renewed, it will not also send a notification before renewal (instead, the notification on renewal, if any configured, will be used). You should configure a greater period for the notification before renewal if you imperatively need both to be sent. Notifications before renewal will only be sent at most once for a given certificate.