Configure a certificate profile
Before you begin
- Upload a Certificate Authority (CA) certificate to verify device certificates.
- Create Online Certificate Status
to check revoked certificates in real time.Note: Only external type OCSP servers can be configured as part of a certificate profile.
This step is optional. You only need to configure OCSP if you are going to select the Check Revocation Status (OCSP Server) option when you’re configuring the certificate profile. See OCSP to learn more.
- In order to pass verification the device certificate must be signed by the configured Certificate Authority (CA).
- EAA Client will verify certificates stored in the following locations on the end-user
- macOS: System.keychain located in /Library/Keychains/System.keychain
- Windows: CERT_SYSTEM_STORE_LOCAL_MACHINE/My located in SystemCertificates. See System Store Locations for more details.
- In the EAA Management Portal menu, select .
- Go to Certificate Profiles.
Click Add Certificate Profile.
Note: You may create up to three certificate profiles.
Configure certificate profile
parameters. The table below includes both mandatory and optional parameters. The
obligatory parameters are marked with an asterisk.
Field Description Certificate definition name* Enter a meaningful certificate profile name.
You can later select the certificate profile by its name in the list of tiers and tags criteria and apply your certificate profile to configure application access control rules (ACLs).
Signed by* Select a Certificate Authority (CA) that will perform device certificate verifications. Device certificates from the System Store on Windows or Keychain on macOS are considered for verification by checking if the certificates are signed by the selected CA. TPM attested Verify if the device certificate is protected by the Trusted Platform Module (TPM). See TPM to learn more.Note: This parameter is optional. Check Revocation Status (OCSP) Enable and select from external OCSP servers to check certificate revocation status. Enabling this option activates the drop-down menu to select OCSP Server to use for verification.Note: This parameter is optional. To enable the verification of the OCSP revocation status, you should have previously configured an external OCSP server.
Certificate profiles configured to use an OCSP server to verify certificate status behave as follows:
- If the OCSP server is not reachable, the certificate status will be returned as good.
- New devices will have their certificates verified within approximately 15 minutes.
- After the initial successful revocation verification, the certificate status will be verified with the configured OCSP server every 6 hours.
- Click Save.
Now you may apply your certificate profile as a part of tier and tag configuration to evaluate security posture of devices and allow or deny access to applications. See Configure tiers and tags.
Each device in your deployment will now be evaluated against any configured certificate profiles and you may also use certificate profiles as criteria for creating inventory reports. See Create a device inventory report and Create report for devices that match certificate profiles.