Configure a certificate profile

Certificate profiles allow you to configure a set of parameters to verify certificates present on a device. After you have defined certificate profiles you can apply them to tiers and tags configuration to allow or deny access to applications. Signals collected from enterprise devices can also be monitored in the Device Details report for any device on your system using device posture.

See Certificates in EAA to learn more about the use of certificates in Enterprise Application Access.

Note: This feature does not verify that the browser used for accessing your protected resources is using the certificate specified as part of certificate profiles. It does verify the presence of certificates and related parameters on the device.

Before you begin

  1. Upload a Certificate Authority (CA) certificate to verify device certificates.
  2. Create Online Certificate Status Protocol (OCSP) to check for revoked certificates.
    Note: Only external type OCSP servers can be configured as part of a certificate profile.

    This step is an optional. You only need to configure OCSP if you are going to select the Check Revocation Status (OCSP Server) option when you’re configuring the certificate profile. See OCSP to learn more.

Certificate requirements
  • In order to pass verification the device certificate must have a private key and be signed by the configured Certificate Authority (CA).
  • EAA Client will verify certificates stored in the following locations on the end-user device:
    • macOS: System.keychain located in /Library/Keychains/System.keychain
    • Windows: CERT_SYSTEM_STORE_LOCAL_MACHINE/My located in SystemCertificates. See System Store Locations for more details.

How to

  1. In the EAA Management Portal menu, select System > Device Posture.
  2. Go to Certificate Profiles.
  3. Click Add Certificate Profile.
    Note: You may create up to three certificate profiles.
  4. Configure certificate profile parameters. The table below includes both mandatory and optional parameters. The obligatory parameters are marked with an asterisk.
    Field Description
    Certificate profile name* Enter a meaningful certificate profile name.

    You can later select the certificate profile by its name in the list of tiers and tags criteria and apply your certificate profile to configure application access control rules (ACLs).

    Signed by* Select a Certificate Authority (CA) that will perform device certificate verifications. Device certificates from the System Store on Windows or Keychain on macOS are considered for verification by checking if the certificates are signed by the selected CA.
    TPM attested Verify if the device certificate is protected by the Trusted Platform Module (TPM). See TPM to learn more.
    Note: This parameter is optional.
    Check Revocation Status (OCSP Server) Enable and select from external OCSP servers to check certificate revocation status. Enabling this option activates the drop-down menu to select a OCSP Server to use for verification.
    Note: This parameter is optional. To enable the verification of the OCSP revocation status, you should have previously configured an external OCSP server.

    Certificate profiles configured to use an OCSP server to verify certificate status behave as follows:

    1. If the OCSP server is not reachable, the certificate status will be returned as good.
    2. New devices will have their certificates verified within approximately 15 minutes.
    3. After the initial successful revocation verification, the certificate status will be verified with the configured OCSP server every 6 hours.
    Note: The certificate profile capability available in the Enterprise Center interface lets you configure an additional parameter referred to as the Fail Certificate Profile Evaluation.

    The Fail Certificate Profile Evaluation feature allows you to deny access to users when either the OCSP server used to validate the certificate is down, or the end user status is unknown because the OCSP server cannot find the certificate’s serial number in it’s database. This setting improves your authentication assurance level.

    See Configure a certificate profile to learn how to configure the Fail Certificate Profile Evaluation parameter.

  5. Click Save.

Next steps

After you created a certificate profile, signals collected from devices where it is installed are checked against certificate profile parameters.

Now you may apply your certificate profile as a part of tier and tag configuration to evaluate security posture of devices and allow or deny access to applications. See Configure tiers and tags.

Each device in your deployment will now be evaluated against any configured certificate profiles and you may also use certificate profiles as criteria for creating inventory reports. See Create an inventory report and Create an inventory report for devices matching certificate profiles.