Product Documentation

Configuring Device Manager with Microsoft Certificate Services

Dec 21, 2015

You can configure Device Manager with Microsoft Certificate Services to generate user certificates for certificate-based authentication with WIFI, VPN, and Exchange ActiveSync profiles. You can also configure Device Manager as a Registration Authority to generate requests and to issue device identity certificates with Microsoft Certificate Services.

In addition, you can configure Device Manager to use external SSL server certificates and digital signature certificates from other PKI-trusted certificate authorities.
Caution: Changing the digital signature certificate or the SSL certificate authority will disable the management of currently enrolled devices and require a re-enrollment across all devices.

Device Manager can make certificate requests to Microsoft Certificate Services through web enrollment to enable certificate-based authentication for WIFI, VPN, and Exchange ActiveSync profiles. Device Manager does this by acting as a client to Microsoft Certificate Services and requesting certificates on behalf of users with enrolled devices. This section describes how to create a Microsoft Certificate Server entity and configure Device Manager to request certificates for users enabling certificate-based authentication.

Prerequisites

  • Microsoft Certificate Services running on Microsoft Windows 2008 Server R2 Standard or Enterprise Edition SP1.
  • Port 443 (default) open from Device Manager to Microsoft Certificate Services server.
  • Microsoft KB 980436 patch needs to be installed on Microsoft Certificate Services server.
  • Microsoft KB 272175 - Guidelines for configuring client certificate authentication mode for IIS 6.
  • Microsoft KB 953461 patch needs to be installed on Microsoft Certificate Services server on Windows 2008 Server Enterprise.
  • Web enrollment for Microsoft Certificate Services needs to be enabled.
  • SSL enabled on Microsoft Internet Information Services (IIS).
  • IIS configured to accept client certificate authentication.
  • The client certificate in .p12 format which is used to authenticate against Microsoft Certificate Services should be copied to the Device Manager server and made accessible.