Product Documentation

Certificate Delivery

Dec 21, 2015

An important notion is the delivery mode of certificates. The delivery is independent of the issuance, although it only applies when the issuing mode is newly issued [sign], not recovered [fetch] from the PKI).

Two modes of certificate delivery are available: centralized and distributed. Distributed mode uses the SCEP protocol and is only available in situations where the client supports the protocol, and is even mandatory in some situations.

For a Credential Provider to support distributed (SCEP-assisted) delivery, a special configuration step is necessary: setting up Registration Authority (RA) certificates. Those are required because when using the SCEP protocol, XenMobile acts like a delegate (a registrar) to the actual CA, and must prove to the client that it has the authority to act as such. That authority is established by providing XenMobile with the aforementioned certificates.

Two distinct certificate roles are required (although one and the same certificate can fulfill both): RA signature and RA encryption. The constraints for these roles are as follows:
  • The RA signing certificate must have the X.509 key usage digital signature.
  • The RA encryption certificate must have the X.509 key usage key encipherment

To configure the Credential Provider’s RA certificates, you must first upload them to the Server Certificates repository, and then link to them in the Credential Provider.

A Credential Provider is considered to support distributed delivery if, and only if, it has a certificate configured for each of the aforementioned roles. Each Credential Provider can be configured to either prefer centralized mode, to prefer distributed mode, or to require distributed mode. The actual result will depend on the context: if the context does not support distributed mode, but the Credential Provider requires it, deployment will fail. Likewise, if the context mandates distributed mode, but the Credential Provider does not support it, deployment will fail. In all other cases, the preferred setting will be honored.

Table 1. SCEP Distribution Availability
Context SCEP supported SCEP required
iOS Profile Service yes yes
iOS MDM enrollment yes no
iOS configuration profiles yes no
SHTP    enrollment no no
SHTP configuration no no
Windows Phone enrollment no no
Windows Phone configuration no no