Product Documentation

Credential Providers

Dec 21, 2015

Credential Providers are the actual configurations you will use in the various parts of the XenMobile system. They define the sources, parameters, and life-cycles of your certificates, whether these are part of device configurations or stand-alone, that is pushed as is, to the device.

Figure 1. Certificates Lifecycle

The certificates’ life-cycle is constrained by the device enrollment. That is, no certificates are issued before enrollment, although some may indeed be issued as part of enrollment, and all certificates issued within the context of one enrollment are revoked when the enrollment is revoked; that is, no certificate remains valid after the management relationship. the enrollment, has been terminated.

One Credential Provider configuration may be used in multiple places, to the effect that configuration may govern any number of certificates at the same time. The unicity, then, is on the deployment resource and the deployment: if the Credential Provider P is “deployed” to device D as part of the configuration C, then P’s issuance settings will determine the certificate that is deployed to D, its renewal settings will apply when C is updated, and its revocation settings will apply when C is deleted or D is revoked.

With the aforementioned in mind, the Credential Provider configuration:
  • Determines the source of certificates — that is, which PKI Entity certificates will be obtained from
  • Determines the method using which certificates are obtained — signing a new certificate or fetching (recovering) an existing certificate and key pair
  • Determines the parameters for the issuance or recovery (for example, CSR parameters such as key size, key algorithm, distinguished name, certificate extensions, and so on)
  • Determines the manner in which certificates are delivered to the device
  • Determines revocation conditions. While all certificates are revoked when the management relationship is severed, the configuration may specify an earlier revocation, for instance when the associated device configuration is deleted. In addition, under some conditions the revocation of the associated certificate in XenMobile may be sent to the back-end PKI; that is, its revocation in XenMobile may cause its revocation on the PKI
  • Determines renewal settings. Certificates obtained through a given Credential Provider may be automatically renewed when they near expiration, or, separately from that, notifications may be issued when that expiration approaches.

To what extent various configuration options are available will mainly depend on which type of PKI Entity and issuance method are selected for a Credential Provider.