Allocation of certificates for different scenarios

Since we are very often asked by customers how to distribute certificates across different devices and operating systems, I would like to take this opportunity to explain this briefly.

When it comes to an internal Microsoft environment, where all servers and clients are members of the domain, it can be easily controlled and managed by group policies.

A challenge arises when we have to distribute a certificate to a device outside our environment, or to an internal device that cannot request a certificate on its own.

There are several options for the different scenarios, which are more or less complex and each have advantages and disadvantages, such as:

• Manual distribution
• script
• SCEP
• MDM SCEP

Manual allocation of allowances

The manual distribution of certificates is sometimes unavoidable and should only be used as a last resort. Here you can generate a request and the private key locally on the device itself or on another device and create the certificate on the CA (certification authority). Here you have to be careful about the format in which the certificate should be generated, whether the private and public keys should be separated, and how the private key is secured.

Certificate distribution using script

Scripted certificate distribution is a semi-automatic solution and may work well - when it comes to identical devices. However, since the script has to be executed manually and we have to authenticate (at least on the device) so that a private key has to be secured, the security of the method arises. In addition, it can become quite complex if we have different devices (e.g. printers, switches, routers, firewalls, thin clients, etc.) in the environment.

Certificate distribution via SCEP (Simple Certificate Enrollment Protocol)

Certificate distribution via SCEP makes it much easier to request and issue certificates on internal networks. This means that the device itself will retrieve the required certificate (which is only possible if the device or operating system supports this protocol).

Although the name of this solution contains a “simple”, there are some limitations to consider:

• Not all certificate classes can be distributed
• The use of a one-time password
• Need for trusted administrators

MDM (Mobile Device Management) and SCEP

An MDM (as the name refers to) is suitable for mobile devices. An MDM allows a trusted certificate profile to be created on devices, which makes the certificates of the root CA on the devices trustworthy. Afterwards, the devices and users can request the required certificates through the SCEP from the internal PKI (Public Key Infrastructure).

Since each certificate has a validity period, how can this be verified when it comes to certificates that are created manually or by script? This can be monitored locally on the root CA, locally on the device, or centrally by a monitoring solution, and a warning can be issued shortly before the certificate expires.