Device Enrollment

You can enrol your certificates with managed devices (i.e. routers or iPads) using SCEP (Simple Certificate Enrolment Protocol) or CMP (Certificate Management Protocol). SCEP/CMP uses request / response model, based on HTTP request for certificate enrolment with devices. Admin can automatically associate each device for a client certificate without requiring any end user interaction. SCEP uses the Certification Authority (CA) certificate to secure the message exchange for the Certificate Signing Request (CSR). Certificate request can be for Issuance/approval, renewal and revocation.

How it Works?

You can create a device enrolment request, using icon on top right. A dialog will appear to navigate to certificate requests list or you can create more requests. Certificate request will be shown under Device Requests list in Draft or Approved status.
A device enrolment request once created, will appear in Draft state (if it is saved without generating a certificate), click on icon and select Edit to complete a device enrolment request. Once completed the certificate request will be shown under Device Requests list with an Approved status.
You can also enrol multiple devices at the same time using Bulk device enrolment via CSV file option. CSV file must contain Device IDs with corresponding Encryption Algorithms. Once a CSV selected, it will show the status for duplicate device IDs or invalid algorithms. Click on ENROL button to register device certificates.
For certificate enrolment using devices (i.e. router), see the configuring Certificate Enrolment with Devices section below.
You must provide SAN (Subject Alternative Name) extension from router during device enrolment, if you want to use SAN in Certificate.

One Time password (OTP) can be set as authentication at the time of request submission for certificate issuance, renewal and revocation, based on certificate criticality. See details in External Services > Connectors> SMS Gateway.

Create Device Enrolment Request

Use following steps to create a device enrolment request for a certificate:

Click Device Enrolment > Device Requests.
You can create a new certificate request, using icon on top right. Provide all the required information, as required by RA (Registration Authority) to complete the process.
Select validity period if allowed by RA (Registration Authority) for the device certificate.
Click Generate. A success message will be shown.
Challenge password will be generated according to Challenge Type as set by RA (Registration Authority ) for request authentication. Open the request to see the challenge password.

1) Supported Challenge Types are None, Fixed or Random.
2) Submitted request will be available in Device Enrolment> Certificate Requests with Approved status.

All the certificate requests related to the user will be listed under Device Requests. See the following table for the column headers description:

Field	Description
Request No	This column displays the unique auto generated request number against each certificate request. Click on it to view the details of the certificate request.
Request Type	This column displays the type of each certificate request, i.e.Device Based Device Based: A certificate request that is sent/ created to issue the signing keys for a device registered by user that can be kept inside a user device, e.g CISCO router , Mobile etc. A device based certificate is used to identify a device authenticating the device to the server.
Certificate Type	This column displays the purpose/ type of each requested certificate, i.e. Document Signing, TLS Server Certificate, etc.
Status	This column displays the current status of each certificate request, i.e. Approved, Declined, or Pending. It also shows the date on which the request status was put up. Approved: A certificate request that has been sanctioned by RA (Registration Authority). The approved requests imply that the certificates have been issued/ revoked/ renewed against them. Declined: A certificate request that has been turned down by RA (Registration Authority). The declined requests imply that the certificates issuance has been refused against them. Pending: A certificate request that has not been processed by RA (Registration Authority) as yet. The pending requests imply that the RA (Registration Authority) need to review the vetting details and take appropriate actions (i.e. Approve or Decline) against them. Draft: A certificate request that has been created but not processed by user yet. The draft requests imply that the user needs to fill the vetting details and take appropriate actions (i.e. Create, Submit) against them.

Certificate will be generated when request send from device e.g Router, iPads etc using the Device ID as CN (Common Name) and challenge password as required.

View Issued Devices Certificates

Once a certificate is approved, it will be shown under Device Enrolment > Device Certificates list with Issued status. See following table for the each column header details.

Field	Description
Request No.	This column displays the unique auto generated request number against each certificate request. Click on it to view the details of the certificate request.
Full Name	This column displays the full name of each certificate including serial number of certificate.
Certificate Type	This column displays the purpose/ type of each requested certificate, i.e. Document Signing, TLS Server Certificate, etc.
Status	This column displays the current status of each certificate, i.e. Issued, Revoked, or Expired. Issued: A certificate that has been issued or renewed by RA (Registration Authority). These are the usable certificates. Revoked: A certificate that has been revoked/ cancelled by RA (Registration Authority). The revoked certificates cannot be used by the users. Expired: A certificate that has been expired as per its configured time period. The expired certificates cannot be used by the users till they are renewed. Pending Revocation: A certificate request for revocation has been sent to RA (Registration Authority).
Expiry Date	This column displays the date of each certificate on which they will expire.

Device Certificate Renewal Requests

Once a certificate expired, create a renewal request initiated from device by certificate re-enrolment process (manual or auto).
Once re-enrolment process successfully completed, certificate will be renewed.
Certificate with Issued status will be available in Device Enrolment > Device Certificates list with new validity period.

Device Certificate Revocation Requests

Click Device Enrolment > Device Certificates from the left menu.
Search the certificate for which revocation is required and click adjacent to it from the main grid and click on Revoke.
A confirmation message will appear. Click Yes.
Provide the information required by RA (Registration Authority) for revocation process.
Click Revoke.
Request will be submitted to RA (Registration Authority) for revoke certificate.
Email Notification will be sent to RA (Registration Authority) for revocation approval request.
Certificate will be revoked on approval of request. An email and on screen notification will be received to user.
Request status will be changed to Approved and certificate with status Revoked will be available in Device Enrolment > Device Certificates list.

Certificate status under Device Certificates list will remain as Pending Revocation until request approved by RA (Registration Authority).

Configure Certificate Enrolment with Devices

To configure your certificate with device (i.e. router or mobile device), follow these steps to execute commands using a Linux based terminal (i.e. Putty).

Login to terminal using 'Configure Terminal Command'. i.e. configure terminal. Example: Router# configure terminal
Declares the trust point and a given name. Enters ca-trustpoint configuration mode. i.e. crypto pki trustpoint name. Example: Router(config)# crypto pki trustpoint mytp
Set enrolment mode as per requirement i.e. enrolment [mode | retry period minutes | retry count number] urlurl [pem]. Example: Router(ca-trustpoint)# enrolment url http://example.com
Authenticate to retrieve the CA certificate. i.e. crypto pki authenticate name. Example: Router(config)# crypto pki authenticate mytp
Enrol certificate by generating certificate request. i.e. crypto pki enroll name. Example: Router(config)# crypto pki enrol mytp
Optionally you can view information of your certificate, CA and RA certificate. i.e. show crypto pki certificates. Example: Router# show crypto pki certificates

1) You can set auto or manual enrolment based on enrolment mode, the re-enrolment process will be done automatically if auto enrolment mode is set but this will only be done once a certificate has expired.
2) To see details on commands parameters and enrolment modes for router, visit CISCO official portal.

Create Bulk Devices Enrolment Requests

Click Device Enrolment > Bulk Device Requests.
You can create a certificate request, using to locate and select the required CSV from your system.

The file must have the valid Device ID and Encryption Algorithm.

Provide all the required information, as required by RA (Registration Authority) to complete the process.
Click on Enrol.
A success message will be shown with the count of successfully enrolled devices.
Challenge password will be generated according to Challenge Type as set by RA (Registration Authority ) for request authentication. Open the request to see the challenge password.

1) Supported Challenge Types are None, Fixed or Random.

2) Submitted request will be available in Device Enrolment> Device Requests with Approved status.

All the device certificate requests related to your user will be listed under Device Requests. See the following table for the column headers description:

Field	Description
Request No	This column displays the unique auto generated request number against each certificate request. Click on it to view the details of the certificate request.
Request Type	This column displays the type of each certificate request, i.e.Device Based Device Based: A certificate request that is sent/ created to issue the signing keys for a device registered by user that can be kept inside a user device, e.g CISCO router , Mobile etc. A device based certificate is used to identify a device authenticating the device to the server.
Certificate Type	This column displays the purpose/ type of each requested certificate, i.e. Document Signing, TLS Server Certificate, etc.
Status	This column displays the current status of each certificate request, i.e. Approved, Declined, or Pending. It also shows the date on which the request status was put up. Approved: A certificate request that has been sanctioned by RA (Registration Authority). The approved requests imply that the certificates have been issued/ revoked/ renewed against them. Declined: A certificate request that has been turned down by RA (Registration Authority). The declined requests imply that the certificates issuance has been refused against them. Pending: A certificate request that has not been processed by RA (Registration Authority) as yet. The pending requests imply that the RA (Registration Authority) need to review the vetting details and take appropriate actions (i.e. Approve or Decline) against them. Draft: A certificate request that has been created but not processed by user yet. The draft requests imply that the user needs to fill the vetting details and take appropriate actions (i.e. Create, Submit) against them.

Certificate will be generated when a request will be sent from device (i.e. router, mobile etc.) using the Device ID as CN (Common Name) and challenge password as required.

Device Settings

Click Device Enrolment > Device Settings from the left menu.
It will show information for SCEP URL and Challenge Type.

Field

Description

SCEP URL

SCEP (Simple Certificate Enrolment Protocol) Server URL for certificate issuance.

Challenge Type

Challenge Type provides information for challenge password type . Device use this password while sending request to SCEP (Simple Certificate Enrolment Protocol) server for certificate issuance. SCEP (Simple Certificate Enrolment Protocol) server validates the challenge password for Fixed or Random challenge type and issue device certificate. No authentication of device request for None challenge type.

None: No challenge password defined by RA (Registration Authority) for this type.

Fixed: Fixed length challenge password defined by RA (Registration Authority) for all device requests.

Random: Random challenge password generated by system against each request on submission of request.

Device Settings shown here, are the ones that are configured by RAO in Admin portal. See Configurations > Device Enrolment for details. Secondly, the device enrolment profile must be configured in your Service Plan to see device enrolment section on user's portal.

Access Control Information

There are certain rules that will be followed while managing or viewing certificates requests list and it's related information. These rules are based on the user's type which includes Enterprise RAOs, Admin RAOs or Administrators.

Roles	Allowed Features
Enterprise RAO	A user registered by the enterprise RAO, can only view the certification profiles that are meant to be for enterprise RAOs only i.e. Admin RAO vetting is set as disabled for allowed profiles in service plan. Security validations will be validated for an enterprise RAO while creating a request from Certification Center, Virtual ID, Desktop Signing, Device Enrolment or SigningHub Integration. All the above rules and validations are also applicable in case of RESTful APIs.
Admin RAO	A user with an admin RAO role can view all the profiles regardless of any configurations. Security validations will be validated for an admin RAO while creating a request from Certification Center, Virtual ID, Desktop Signing, Device Enrolment or SigningHub Integration. All the above rules and validations are also applicable in case of RESTful APIs.
Administrators	Administrators can view or manage all certificates requests and it’s related information