Configure a certificate profile
See Certificates in EAA to learn more about the use of certificates in Enterprise Application Access.
Before you begin
- Upload a Certificate Authority (CA) certificate to verify device certificates.
- Create Online Certificate Status
to check for revoked certificates.Note: Only external type OCSP servers can be configured as part of a certificate profile.
This step is an optional. You only need to configure OCSP if you are going to select the Check Revocation Status (OCSP Server) option when you’re configuring the certificate profile. See OCSP to learn more.
- In order to pass verification the device certificate must have a private key and be signed by the configured Certificate Authority (CA).
- EAA Client will verify certificates stored in the following locations on the end-user
- macOS: System.keychain located in /Library/Keychains/System.keychain
- Windows: CERT_SYSTEM_STORE_LOCAL_MACHINE/My located in SystemCertificates. See System Store Locations for more details.
- In the EAA Management Portal menu, select .
- Go to Certificate Profiles.
Click Add Certificate
Note: You may create up to three certificate profiles.
Configure certificate profile
parameters. The table below includes both mandatory and optional parameters. The
obligatory parameters are marked with an asterisk.
Field Description Certificate profile name* Enter a meaningful certificate profile name.
You can later select the certificate profile by its name in the list of tiers and tags criteria and apply your certificate profile to configure application access control rules (ACLs).
Signed by* Select a Certificate Authority (CA) that will perform device certificate verifications. Device certificates from the System Store on Windows or Keychain on macOS are considered for verification by checking if the certificates are signed by the selected CA. TPM attested Verify if the device certificate is protected by the Trusted Platform Module (TPM). See TPM to learn more.Note: This parameter is optional. Check Revocation Status (OCSP Server) Enable and select from external OCSP servers to check certificate revocation status. Enabling this option activates the drop-down menu to select a OCSP Server to use for verification.Note: This parameter is optional. To enable the verification of the OCSP revocation status, you should have previously configured an external OCSP server.
Certificate profiles configured to use an OCSP server to verify certificate status behave as follows:
Note: The certificate profile capability available in the Enterprise Center interface lets you configure an additional parameter referred to as the Fail Certificate Profile Evaluation.
- If the OCSP server is not reachable, the certificate status will be returned as good.
- New devices will have their certificates verified within approximately 15 minutes.
- After the initial successful revocation verification, the certificate status will be verified with the configured OCSP server every 6 hours.
The Fail Certificate Profile Evaluation feature allows you to deny access to users when either the OCSP server used to validate the certificate is down, or the end user status is unknown because the OCSP server cannot find the certificate’s serial number in it’s database. This setting improves your authentication assurance level.
See Configure a certificate profile to learn how to configure the Fail Certificate Profile Evaluation parameter.
- Click Save.
Now you may apply your certificate profile as a part of tier and tag configuration to evaluate security posture of devices and allow or deny access to applications. See Configure tiers and tags.
Each device in your deployment will now be evaluated against any configured certificate profiles and you may also use certificate profiles as criteria for creating inventory reports. See Create an inventory report and Create an inventory report for devices matching certificate profiles.