Share via


MDM and Microsoft Certification Authorities

2/9/2009

System Center Mobile Device Manager works directly with existing Microsoft certification authorities for client and server certificate signing. If no current Public Key Infrastructure (PKI) is in place, or if you want to maintain a separate certification authority for device authentication, you can add a Microsoft enterprise certification authority. The Windows Server 2003 Enterprise Edition operating system certification authority is the only supported issuing certification authority for MDM.

MDM uses certificates extensively on all server roles. For example, it uses certificates for the following functionality:

  • For remote authentication of Windows Mobile devices.
  • To ensure confidentiality and protect against tampering in administrative communication between client and server.
  • For server-to-server authentication and communication confidentiality.
  • To help protect servers against malicious configuration attacks.

Certificate use with MDM provides the following benefits:

  • Data transfers confidentially between servers and managed devices by using encryption to prevent data exposure over public Internet links.
  • Servers and managed devices verify the identity of one another by using mutual authentication during communication.
  • MDM Gateway Server uses the device certificate to authenticate the device. The device uses the MDM Gateway Server certificate to authenticate the server, and then generates an Internet Protocol security (IPsec) connection. To authenticate line-of-business (LOB) applications and help provide end-to-end security, the managed device should use another certificate, or an authentication or encryption mechanism (such as Secure Sockets Layer) in addition to the IPsec-encrypted tunnel to the MDM Gateway Server.

Public Key Infrastructure

A PKI consists of the following basic components:

  • Digital certificates
  • Certification Authorities
  • Certificate policy and practice statements
  • Certificate repositories
  • Certificate revocation lists (CRL)
  • Certificate trust lists (CTL)
  • Key archival and recovery
  • Public key standards

For information about PKI, see the PKI documentation:

Certificates

MDM uses certificates from your existing Public Key Infrastructure (PKI).

Windows Server 2003 Enterprise Edition certification authority is the only fully supported certification authority for MDM. Its automatic enrollment and certificate renewal capabilities are key elements in making sure of the highest quality end-user experience during MDM enrollment.

Note

When you introduce a Windows Server 2003 Enterprise Edition certification authority into a production environment, server certificates are issued to domain controllers.

You must put one Enterprise Root certification authority in the root of the PKI infrastructure. You should set root certification authorities expiration time in such a way that renewal is not needed. You cannot renew the root certification authority in Windows Mobile. We recommend that you follow the best practices for PKI as outlined in the PKI documentation:

We also recommend that you deploy at least one offline root certification authority and one subordinate (issuing) certification authority. Depending on your deployment, this might include one or more of the following:

  • Active Directory directory service (Windows Server 2003 forest and domain functional levels)
  • Microsoft Domain Name System (DNS), correctly deployed and configured
  • Certification authority running Windows Server 2003 Enterprise Edition operating system
  • At least one global catalog server in the same Active Directory site as the MDM servers
  • Microsoft SQL Server 2005 Service Pack 1 (SP1), local or remote to the MDM Device Management Server

MDM Certificate Templates

The following certificate templates are created during the installation of each MDM instance. You can view these templates in the Certificate Templates MMC snap-in.

For more detailed information about these templates, see Manual Certificate Procedures in the MDM Deployment Guide.

SCMDMGCM (<Instance Name>)

MDM uses the SCMDMGCM template for digital signature and encryption.

The following shows information about this template.

Extensions

Client authentication

Validity

Two years

Automatic renewal?

No

Publish to Active Directory?

No

SCMDMMobileDevice (<Instance Name>)

MDM uses the SCMDMMobileDevice template for digital signature and encryption.

The following shows information about this template.

Extensions

Client authentication

Validity

One year

Automatic renewal?

Yes

Publish to Active Directory?

Yes

SCMDMWebServer (<Instance Name>)

MDM uses the SCMDMWebServer template for digital signature and encryption.

The following shows information about this template.

Extensions

Server authentication

Validity

Two years

Automatic renewal?

No

Publish to Active Directory?

No

Additional Resources

Windows Server 2003 PKI information

Security and Windows Mobile Devices

See Also

Concepts

Validating Communications within an MDM Instance
Configure a Certification Authority for MDM