Authors: Navya Kedlaya (@Navya Kedlaya) and Hemanth Raju (hemantharaju.n@ibm.com)

Introduction


Digital certificates are essential for verifying identity and securing connections between network devices. They serve as an electronic method of authentication, facilitated by a trusted third party. This process helps organizations ensure that only authorized users and devices can access their networks, confirming the identity of both the device and its owner.

Although certificates can be freely distributed, protecting associated identities is critical. Identities are commonly used for authentication, digital signing, or encryption.

The certificate and identity formats supported by Apple devices include:

•                Certificate: .cer, .crt, .der, .pem

•                Identity: .pfx, .p12

Certificates can be manually deployed to Apple devices using Mobile Device Management (MDM) solutions. Apple provides certificate payloads for distribution, while platforms like IBM’s MaaS360 offer a seamless approach to managing trust certificates by issuing, distributing and revoking them as needed, ensuring secure communication and authentication across devices enrolled in MDM solutions. 

Trusted certificates are handled as secure data and managed directly on the device through MDM. Full certificate trust is guaranteed when certificates are installed using supported MDM solutions.

Define PKCS certificate?

A PKCS certificate refers to a digital certificate that adheres to one of the standards defined by the Public Key Cryptography Standards (PKCS). These standards were developed by RSA Security in collaboration with other industry leaders to promote secure communication using public key infrastructure (PKI). Each PKCS standard defines specific practices or formats for handling cryptographic operations, including certificates.

·      Enable secure communication by authenticating identities and encrypting data.

·      Facilitate tasks such as digital signatures, SSL/TLS encryption, and secure email (S/MIME).

·      Commonly used in enterprise environments to authenticate users, devices, or applications.

In summary, a PKCS certificate aligns with these widely adopted standards to ensure secure and interoperable cryptographic processes.

Common PKCS Standards Related to Certificates and supported by MDM:


1.             PKCS1 - PKCS#1 is not a certificate format but a standard for the RSA cryptographic algorithm, its padding schemes, and the encoding of RSA keys. Certificates using RSA often incorporate PKCS#1-encoded keys within their structure.

2.             PKCS12 - PKCS#12 (.pfx) file is a bundled file that includes both the private key and the X.509 certificate, ready for installation on servers like IIS, Apache Tomcat, or Exchange. Generating a Certificate Signing Request (CSR) is often a challenging task for customers looking to secure their servers. With PKCS#12, this step is simplified as the Certificate Authority (CA) securely generates the CSR on behalf of the customer during the certificate application process, eliminating the need for the customer to create it themselves.

Requirement

To associate services with a specific identity, configure a certificate payload and then set up the desired service, such as Wi-Fi, within the same configuration profile. For example, a certificate payload can be used to provision an identity for the device, while a Wi-Fi payload in the same profile can be configured for WPA2 Enterprise/EAP-TLS authentication using the device certificate created by the certificate payload.

Certificates generated, in formats like .der, .crt, .cer, .pem, .pfx, and .p12, can be added to the certificate payload and distributed via MDM.

Certificate Renewal: MaaS360 handles the lifecycle of identity certificates, including their renewal when necessary. In contrast, the management of user-generated trusted certificates, including their lifecycle, is on the user.

How Maas360 helps distribute certificates using MDM policy certificate payload?

Types of certificates that can be configured include:

1.             Trust or CA Certificates - PKCS1 (.der, .crt, .cer, .pem), PKCS12 (.pfx, .p12)

2.             Identity Certificates - Certificates generated for devices and users by the Certificate Authority (CA).

Ways to distribute trusted certificates 

• Policy Files Section – Upload and configure PKCS1 and PKCS12 certificates.

You can upload the certificate files of pkcs1 and pkcs12 types as trusted certs in the policy file section and then configure the same through certificate payload of iOS policy. This policy can be applied to the device requiring trusted certificates to be used for any services.

Navigate to Security > policies > click on more options on right side > policy files > Upload content.

PKCS1:

PKCS12:Note: PKCS12 files need valid certificate password to get uploaded.

Fields:

Content Name (max. 100 chars.) (Required): Any unique file name for the reference.

Type (Required): Type should be ‘Certificate’

Content: It’s a required field. Customer can browse and chose any one of the file types such as *.crt, *.cer, *.pem, *.der of type PKCS1 and *. p12, *.pfx of type PKCS12.

Post upload, uploaded certificate details are visible on policy files dashboard.

• Certificate Payload in Policy – Upload and configure PKCS1 and PKCS12 certificates.

Certificates can also be uploaded through certificate payload section of policy. Once uploaded, certificates will start showing up under the policy files section.

Navigate to Configure settings > Advanced settings > Certificates on existing policy and can upload PKCS1 and PKCS12 files.

Enable ‘Configure Trust or Credentials Certificates on the Device’ option and upload certificates under ‘Trust or CA Certificates’

Certificate Name (Required) : Any unique file name for certificate.

Certificate(Required):  Click on ‘+’ icon and upload PKCS1 or PKCS12 file types

Note: PKCS12 files need valid certificate password to get uploaded.

Customer can also choose any existing uploaded trusted certificates from dropdown while configuring certificate payload.

• Certificate Upload from Wi-Fi Payload – Upload and configure PKCS certificates through the Wi-Fi payload.

Trusted certificate upload is possible from WIFI payload section for it to be configured and delivered for WIFI services.

Navigate to Configure settings > Device settings > Wi-Fi Enterprise payload in policy. Click on ‘+’ icon next to ‘Trusted certificates’ field and upload pkcs certs while configuring any enterprise Wi-Fi type.

Customer can also choose any existing uploaded trusted certificates from dropdown while configuring enterprise Wi-Fi payload.

Note: Before customer select the Certificates here, they need to add the same under the "Certificate Credentials" section.

• Edit and Delete Certificates from policy files section:

Customer can navigate to Policy files section and edit the uploaded certificates. Customer can reupload the expired certificate or even can change to different PKCS files. Customer can change files from PKCS1 to PKCS12 and vice versa.

Audit of certificate edits

Note: If a certificate is edited and is currently being referenced in any of the policy payloads, then the policy will go back to “Needs to publish” state and needs to publish again.

Deleting a certificate is possible through delete option under policy files. This option is unavailable until the certificates are referenced in any policy payloads.

• Error handling

We handle situations such as invalid passwords and duplicate certificate uploads, ensuring the system remains efficient and innovative.

Benefits

•                Compliance – Helps organizations adhere to regulatory and data protection requirements.

•                Better User Experience – Eliminates the need for users to manually enter their username and password.

•                Centralized Certificate Management – Facilitates managing certificates from a single point of control.

•                Shared Certificates – Enables the use of a single certificate across multiple services.

•                Improved Security – Secures access to corporate resources, including VPNs and Wi-Fi networks.

•                Encrypted Communication – Ensures secure, encrypted data transfer between devices and corporate resources, such as VPN and Wi-Fi networks.

Conclusion

With centralized certificate management and improved security over secure communication channels, organizations can ensure that devices connect and authenticate to corporate resources effortlessly. MaaS360 simplifies the certificate delivery process, allowing organizations to save time and resources while boosting overall security. Managing certificates has never been easier, providing organizations with enhanced user experience, stronger security, and seamless compliance.

If you're seeking a simpler, streamlined user experience with improved security and seamless compliance, MaaS360 is the go-to solution!