Configure a certificate profile

Certificate profiles allow you to configure a set of parameters to verify certificates present on a device. After you defined certificate profiles you can apply them to tiers and tags configuration to allow or deny access to applications. Signals collected from enterprise devices can also be monitored in the Device Details report for any device on your system using device posture. See Certificates in EAA to learn more about the use of certificates in Enterprise Application Access.

Before you begin

  1. Upload a Certificate Authority (CA) certificate to verify device certificates.
  2. Create Online Certificate Status Protocol (OCSP) to check revoked certificates in real time.
    Note: Only external type OCSP servers can be configured as part of a certificate profile.

    This step is optional. You only need to configure OCSP if you are going to select the Check Revocation Status (OCSP Server) option when you’re configuring the certificate profile. See OCSP to learn more.

Certificate requirements
  • In order to pass verification the device certificate must be signed by the configured Certificate Authority (CA).
  • EAA Client will verify certificates stored in the following locations on the end-user device:
    • macOS: System.keychain located in /Library/Keychains/System.keychain
    • Windows: CERT_SYSTEM_STORE_LOCAL_MACHINE/My located in SystemCertificates. See System Store Locations for more details.

How to

  1. In the EAA Management Portal menu, select System > Device Posture.
  2. Go to Certificate Profiles.
  3. Click Add Certificate Profile.
    Note: You may create up to three certificate profiles.
  4. Configure certificate profile parameters. The table below includes both mandatory and optional parameters. The obligatory parameters are marked with an asterisk.
    Field Description
    Certificate definition name* Enter a meaningful certificate profile name.

    You can later select the certificate profile by its name in the list of tiers and tags criteria and apply your certificate profile to configure application access control rules (ACLs).
    Signed by* Select a Certificate Authority (CA) that will perform device certificate verifications. Device certificates from the System Store on Windows or Keychain on macOS are considered for verification by checking if the certificates are signed by the selected CA.
    TPM attested Verify if the device certificate is protected by the Trusted Platform Module (TPM). See TPM to learn more.
    Note: This parameter is optional.
    Check Revocation Status (OCSP) Enable and select from external OCSP servers to check certificate revocation status. Enabling this option activates the drop-down menu to select OCSP Server to use for verification.
    Note: This parameter is optional. To enable the verification of the OCSP revocation status, you should have previously configured an external OCSP server.

    Certificate profiles configured to use an OCSP server to verify certificate status behave as follows:

    1. If the OCSP server is not reachable, the certificate status will be returned as good.
    2. New devices will have their certificates verified within approximately 15 minutes.
    3. After the initial successful revocation verification, the certificate status will be verified with the configured OCSP server every 6 hours.
  5. Click Save.

Next steps

After you created a certificate profile, signals collected from devices where it is installed are checked against certificate profile parameters.

Now you may apply your certificate profile as a part of tier and tag configuration to evaluate security posture of devices and allow or deny access to applications. See Configure tiers and tags.

Each device in your deployment will now be evaluated against any configured certificate profiles and you may also use certificate profiles as criteria for creating inventory reports. See Create a device inventory report and Create report for devices that match certificate profiles.