Connecting to a NDES/SCEP server
These settings apply to corporate devices.
You can connect to an NDES/SCEP server to obtain a certificate from a certificate authority (CA) using the Simple Certificate Enrollment Protocol (SCEP). To do this, you need to add a connection to the certificate authority and a certificate profile.
To add a connection to the certificate authority and a certificate profile:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
- In the policy properties window, select Application settings.
- Select Android and go to the Device configuration section.
- On the SCEP and NDES card, click Settings.
The SCEP and NDES window opens.
- Enable the settings using the SCEP and NDES toggle switch.
The Add connection to certificate authority window opens.
- Add a connection to the certificate authority:
- In the Connection name field, enter the name of the connection to the certificate authority.
- In the Protocol type drop-down list, select the protocol version.
- In the Server URL field, enter the URL of a NDES or SCEP server.
The format of the NDES server URL is
http://<ServerName>/certsrv/mscep/mscep.dll. - In the Challenge phrase type drop-down list, select one of the following options to configure the authentication challenge:
- If you selected the Static option, in the Static challenge phrase field, enter the authentication phrase.
- Click Add.
The connection to the certificate authority is added. You can add multiple connections to certificate authorities.
- Select the Certificate profile tab and click Add.
The Add profile window opens.
- Add a certificate profile:
- In the General settings section, in the Profile name field, enter the unique certificate profile name.
- In the Certificate authority (CA) drop-down list select the certificate authority that you added on the Certificate authority tab.
- In the Subject Name field specify the subject of the certificate. Subject name is a unique identifier that includes information about what is being certified, such as common name, organization, organizational unit, and country code. You can either enter a value or select a macro by clicking the
button. - If you want to add an alternative name that represents the certificate subject name, click Add Subject Alternative Name and configure the following settings:
- In the Type of Subject Alternative Name drop-down list select the subject alternative name type.
- In the Subject Alternative Name field enter the alternative name. You can either enter a value or select a macro by clicking the button.
You can add multiple subject alternative names.
- In the Key section, in the Key size (bit) drop-down list, select the certificate's private key length.
- In the Private key type drop-down list select the certificate's private key type:
- If you want the certificate to be automatically reissued to the device before it expires, in the Certificate section, select the Renew certificate automatically check box. This check box is cleared by default.
- If you selected the Renew certificate automatically check box, enter the number of days before the expiration date when the certificate is reissued in the Renew certificate before it expires in (days) field.
- Click Add.
The certificate profile is added. You can add multiple certificate profiles.
- Click OK.
- Click Save to save the changes you have made.
Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.
You can edit or remove the added connections to certificate authorities and certificate profiles by clicking Edit and Delete at the top of the list.
If you delete a connection to a certificate authority, all certificate profiles that use it are also removed.