Security

Reply

Advice to obtain Public Cert for Onboarding iOS Devices

 

I wanted to know if certain third party / public certs work better than others to Onboard iOS devices : Verisign, GoDaddy , etc...

 

I know I can go by this list : http://support.apple.com/kb/ht5012 but just wanted to see what other have experienced 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba

Re: Advice to obtain Public Cert for Onboarding iOS Devices

I have to stay neutral on this but a quick note. :)

 

Is if you are using a CPPM that is running any version before 6.3 you will need to make sure the Root CA you choose supports OID to the certificate (id-kp-eapOverLAN) for the CPPM server cert.

 

Windows decided to change the requirements as of 8.1..:(

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: Advice to obtain Public Cert for Onboarding iOS Devices

Thanks Troy will definitely keep that in mind .
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

I have a Root CA signed server cert that was created from a CSR made in CPPM 6.3.1.

I does not include the extension  to support Windows 8.1.

This seems to be an oversight.


--
ACMA ACMP
Guru Elite

Re: Advice to obtain Public Cert for Onboarding iOS Devices

It has nothing to do with the CSR. It is dependent on the signing CA.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

My experience with certs is that you request extensions in the CSR. The CA doesn't change your certificate request it just signs it.

If you look at a CSR with openssl you can see what extensions have been requested.

So is that incorrect for this extension?

 

 


--
ACMA ACMP
Aruba

Re: Advice to obtain Public Cert for Onboarding iOS Devices

The problem is if we require that attribute then it severely limits who the customer can get a certificate from. It is only windows 8.0> devices that have this requirement.

 

This way the customer just needs to request that the attribute to be included by the signing CA or not allow 8.1 devices to be onboarded. Most security concerned customers will not want to have a public CA sign the Radius certificate only the HTTPS. That is why as of 6.3 you can have two separate certificates and we add ID-KP in our built in PKI that you can use the sign the radius certificate.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

Ah that limitation makes sense.

 

The trouble is that creating the server certs with OnBoard does not seem to be a universal solution. If all your devices are onboarded it's fine since they will have the onboard CA installed. But if you have non-onboarded services your HTTPS/RADIUS certs will be signed by an unknown intermediate CA and will fail cert validation on the client.

 

In my understanding so far I think there's two solutions:

1) buy separate Root-CA signed certs for OnBoard and server certs using the inbuilt CSR mechanism for both

2) create a custom CSR using openssl that includes both the Win8.1 ext and the CA ext, install the root CA signed cert in both PM and OB

 


--
ACMA ACMP
Guru Elite

Re: Advice to obtain Public Cert for Onboarding iOS Devices

The other solution would be to use a supplicant configuration utility/wizard like QuickConnect to install the CA and configure the client appropriately.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Advice to obtain Public Cert for Onboarding iOS Devices

Fine for staff, but won't work in one of our use cases which is free public wifi.

 

For clarity can your respond about the CSR requiring the extension or not?


--
ACMA ACMP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: