Issuing mobile device certificates
You can issue mobile, mail, or VPN certificates for mobile devices.
To issue a certificate:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
- In the list of certificates that opens, click Add.
The Certificate issuance wizard starts. Click Start, and then proceed through the wizard using the Back and Next buttons.
Welcome
On the welcome screen, you can read a summary of the Certificate issuance wizard steps.
Please note that the numbering and set of steps may vary depending on the certificate type, operating system, and the issuance settings defined in the Issuance rules section.
Step 1. Certificate type
At this step, choose the certificate to be issued.
- Mail certificate (to configure corporate email on devices).
- VPN certificate (to configure access to private networks and corporate web resources on devices).
- Mobile certificate (to identify mobile devices on the Administration Server).
Step 2. Operating system
At this step, choose the operating system of the devices for which the certificate will be issued.
- Android
- iOS
Step 3. Connection method
This step is displayed only if you selected Mail certificate or VPN certificate as the certificate type and Android as the operating system of the devices for which the certificate will be issued.
At this step, choose the method for connecting devices to Administration Server.
- Connect using mobile certificate authentication
Select this option if you want the mobile certificate to be used for user identification upon connecting to Administration Server.
- Connect without mobile certificate authentication
Select this option if you want to install a certificate on a device using no certificate authentication.
Step 4. Users
At this step, choose one or more users that will receive the details for installing certificates. If a user is not in the list, you can add a new user account without exiting the wizard.
- To choose an existing user, select check boxes next to the corresponding user names.
- To add a new user, click Add user.
- Specify user credentials in the Credentials block of settings.
- User name
- Password
The password must meet the following complexity requirements:
- It must contain between 8 and 16 characters.
- It must contain the characters from at least three of these groups: uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), special characters (@ # $ % ^ & * - _ ! + = [ ] { } | : ' , . ? / \ ` ~ " ( ) ;).
- If necessary, specify the optional details in the Optional information group of settings.
- Full user name
- Description
- Email address
- Phone number
- Click OK to save the changes.
The new user will be added and displayed in the list of users.
- Specify user credentials in the Credentials block of settings.
- To modify user details, click Edit user.
The fields you can modify depend on the user subtype - internal or domain.
Step 5. Certificate alias and source
At this step, choose the certificate alias and source for importing the certificate.
- Certificate alias
A certificate alias is a name that identifies the certificate. You can use the selected alias later to configure policy settings: Email account for iOS MDM devices; Exchange ActiveSync account for iOS MDM devices; VPN network for iOS MDM devices; Wi-Fi network for iOS MDM devices.
This option is available only if you selected Mail certificate or VPN certificate as the certificate type.
- Integrate issuance with Microsoft CA via PKI
For this option, specify one of the available templates imported from Microsoft CA in the PKI template field.
This option is available only if the integration with PKI is enabled in the Issuance rules.
- Upload file
For this option, specify the Certificate format:
- For the PKCS #12 format, in the Certificate file field, click Select, and then specify a P12 or PFX file.
- For the X.509 format, in the Private key file field, click Select, and then specify a PRK or PEM file.
In the Certificate file field, click Select, and then specify a CER, CRT, or CERT file.
After you specify the files, you can also enter the Certificate password.
Step 6. Authentication method
This step is displayed only if you selected Mobile certificate as the certificate type, or if you selected Mail certificate or VPN certificate for Android devices and specified the Connect without mobile certificate authentication option as the connection method.
At this step, choose the user authentication method for receiving the certificate.
- Domain or internal user credentials. Users will access the certificate using the domain or internal user credentials. On mobile devices, users will have to specify the login in one of the following formats:
userPrincipalName@DNSDomainNamesAMAccountNamesAMADomain\sAMAccountName
- Password. Users will access the certificate using a password sent by email or displayed after completing the wizard.
In the Certificate use on device block of settings, click the Allow using one certificate multiple times on the same device (only for devices with Kaspersky Endpoint Security for Android installed) check box if you want to allow using one certificate multiple times on the same device.
This option is available only if Android is chosen as the operating system of the devices for which the certificate will be issued.
Step 7. Send certificate details
At this step, choose how to send the certificate installation details. You can choose one of the following options:
- Send a message to users' email addresses
Choose this option to send the certificate installation details by email to the selected users. These email addresses must be specified in the user account settings in Kaspersky Security Center.
If you want to send the certificate installation details to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Send a copy of the message to an alternate email address check box, and then specify the required email address. - Show the details after completing the wizard
Choose this option to display the certificate installation details at the final step of the Certificate issuance wizard.
Step 8. Confirm
At this step, check the certificate issuance details specified in the earlier steps, and then click Confirm and issue certificate to confirm the operation.
Finish
On the Finish screen:
- If you chose the Send a message to users' email addresses option, the specified users will receive the emails with certificate installation details.
- If you chose the Show the details after completing the wizard option, certificate installation details are displayed on the Finish screen. You can view the displayed details or click Download list to receive a file with summarized information.
Click Close to exit the wizard.
After completing the Certificate issuance wizard, certificates are created and added to the list of user certificates. You can delete or renew certificates, as well as view their properties.