The delivery of certificates is independent of the issuance, although
it only applies when the issuing mode is newly issued (sign), not recovered
(fetch] from the PKI.
Two modes of certificate delivery are available:
distributed. Distributed mode uses the SCEP protocol and
is only available in situations where the client supports the protocol.
Distributed mode is even mandatory in some situations.
For a Credential Provider to support distributed (SCEP-assisted)
delivery, a special configuration step is necessary: Setting up Registration
Authority (RA) certificates. Those are required because when using the SCEP
protocol, XenMobile acts like a delegate (a registrar) to the actual CA,and
must prove to the client that it has the authority to act as such. That
authority is established by providing XenMobile with the aforementioned
Two distinct certificate roles are required (although one and the same
certificate can fulfill both requirements): RA signature and RA encryption. The
constraints for these roles are as follows:
- The RA signing certificate
must have the X.509 key usage digital signature.
- The RA encryption
certificate must have the X.509 key usage key encipherment
To configure the Credential Provider RA certificates, you must upload
them to the Server Certificates repository and then link to them in the
A Credential Provider is considered to support distributed delivery
if, and only if, it has a certificate configured for each of the aforementioned
roles. Each Credential Provider can be configured to either prefer centralized
mode, to prefer distributed mode, or to require distributed mode. The actual
result will depend on the context: If the context does not support distributed
mode, but the Credential Provider requires it, deployment will fail. Likewise,
if the context mandates distributed mode, but the Credential Provider does not
support it, deployment will fail. In all other cases, the preferred setting
will be honored.
Table 2. SCEP Distribution Availability
|iOS Profile Service
|iOS MDM enrollment
|iOS configuration profiles
|Windows Phone enrollment
|Windows Phone configuration