Allocation of certificates for different scenarios
Since we are very often asked by customers how to distribute certificates across different devices and operating systems, I would like to take this opportunity to explain this briefly.
When it comes to an internal Microsoft environment, where all servers and clients are members of the domain, it can be easily controlled and managed by group policies.
A challenge arises when we have to distribute a certificate to a device outside our environment, or to an internal device that cannot request a certificate on its own.
There are several options for the different scenarios, which are more or less complex and each have advantages and disadvantages, such as:
- Manual distribution
- script
- SCEP
- MDM SCEP
Manual allocation of allowances
The manual distribution of certificates is sometimes unavoidable and should only be used as a last resort. Here you can generate a request and the private key locally on the device itself or on another device and create the certificate on the CA (certification authority). Here you have to be careful about the format in which the certificate should be generated, whether the private and public keys should be separated, and how the private key is secured.
Certificate distribution using script
Scripted certificate distribution is a semi-automatic solution and may work well - when it comes to identical devices. However, since the script has to be executed manually and we have to authenticate (at least on the device) so that a private key has to be secured, the security of the method arises. In addition, it can become quite complex if we have different devices (e.g. printers, switches, routers, firewalls, thin clients, etc.) in the environment.
Certificate distribution via SCEP (Simple Certificate Enrollment Protocol)
Certificate distribution via SCEP makes it much easier to request and issue certificates on internal networks. This means that the device itself will retrieve the required certificate (which is only possible if the device or operating system supports this protocol).
Although the name of this solution contains a “simple”, there are some limitations to consider:
- Not all certificate classes can be distributed
- The use of a one-time password
- Need for trusted administrators
MDM (Mobile Device Management) and SCEP
An MDM (as the name refers to) is suitable for mobile devices. An MDM allows a trusted certificate profile to be created on devices, which makes the certificates of the root CA on the devices trustworthy. Afterwards, the devices and users can request the required certificates through the SCEP from the internal PKI (Public Key Infrastructure).
Since each certificate has a validity period, how can this be verified when it comes to certificates that are created manually or by script? This can be monitored locally on the root CA, locally on the device, or centrally by a monitoring solution, and a warning can be issued shortly before the certificate expires.
Mehr erfahren
Find out how you can take the security of your VMware infrastructure to the next level. In our informative blog post on certificate management in VMware, we show you step by step how to manage certificates efficiently and protect your data from threats. Use our expert tips and preserve the integrity of your virtual environment.
The quality of safety products can be checked by means of certification and approval.
SPIRIT/21 passed the ISO/IEC 27001 audits for the third time in a row without deviations and has been successfully re-certified since the end of last year.
Muhamed Ahmovic
Technischer Presales
Phone: +49 172 629 6400
E-Mail: mahmovic@spirit21.com
Muhamed is responsible for the design, planning and implementation of IT solutions with a focus on VMware, Storages and Microsoft. If you have any questions about encryption technologies, you’ve come to the right place.