10 Apr Ready for Ivanti MDM? First Configure Your Ivanti CSA with an End-Entity Certificate
If you’re ready to tackle Ivanti MDM management, you’re first going to need an Ivanti Cloud Service Appliance (CSA) configured with a valid end-entity certificate.
And if you’re like me, you may find yourself somewhat stuck before you ever really get started. The first time I tried to configure my CSA with an end-entity certificate, I had a number of unanswered questions slowing me down.
- Do I need to do anything to the CSA prior to purchasing my end-entity certificate?
- Who should I purchase my end-entity certificate from?
- What type of SSL certificate do I need?
- Where do I fill out the Certificate Signing Request being asked for by my vendor, and for that matter, what is the correct information to provide within the CSR?
- What do I do with the CSR information?
- Once I receive my certificate(s) from my vendor, how do I properly apply them to the CSA?
Having gone through the process, I now have the answers to these questions and hope that this guide will give you the information you need to speedily prepare your CSA for MDM management.
Do I need to do anything to the CSA prior to purchasing my end-entity certificate?
Yes! There are four things you need to do prior to purchasing your SSL certificate. Start by logging into your CSA with the URL https://fqdn/gsb or https://ip/gsb ignoring any certificate errors. Or, if using VMWare, use your console to access the login page.
The default login information is:
- User: admin
- Password: admin
Supply a new password if prompted.
- Define and set a public DNS name for your CSA and ensure a public IP address is mapped to the CSA name. Your networking team may need to help you define these.
- Set the CSA public name by going to the System menu tree and clicking on the Network Settings tab and supplying the correct information. Click save when finished.
- Map your public CSA name with the public IP in the System > Host names tab and click Save. Repeat for your internal name and IP if you have one.
- Ensure you add the fqdn name and public IP address into the Additional Host Names section of the Gateway Service menu item.
- Update the CSA to at least build 173. As of this writing, the CSA is on build 182 so this shouldn’t be an issue for most of you.
- Click on the System menu button and then click on the Updates tab and push the ‘Scan for Updates’ button. Hit apply if a build number comes back. Reboot if needed.
- Change the server encryption level to SHA-256
- From the Gateway Service menu, find the dropdown under Server Encryption Digest Algorithm to SHA-256 and hit Save.
- Set the iOS DEP Service Port to 444
- Again, on the Gateway Service menu, find iOS DEP Service Port and enter 444. Save.
Who should I purchase my end-entity certificate from?
Ivanti states that they’ve validated certificates from the three vendors below. If possible, purchase from one of them.
What type of SSL certificate do I need?
You need to purchase a certificate that allows you to secure a single common name, referred to as a single-name SSL certificate. Multi-domain certs or wildcard certs will not work.
I chose to purchase DigiCert’s SSL Plus certificate option; which is their entry-level certificate. Symantec/VeriSign and GoDaddy have similar plans available as well.
Where do I fill out the Certificate Signing Request being asked for by my vendor, and for that matter, what is the correct information to provide within the CSR?
The CSR you’ll provide your vendor will be generated on the CSA itself.
- Login again to to your CSA and go to the Manage LDMG Certificates menu option and then select the Create CSR button.
Most of the information being requested is mandatory and some of the questions need to be answered in a standardized format, like the country name.
- If your headquarters is in the United States, use the code US. For other countries, find your country code here.
- State, City, Organization and Organizational Unit can be filled out as desired.
- The Common Name is critical. This name is the public DNS name you want to secure. For example: csa.nine41consulting.com.
- The password and company name are optional. Ensure the digest hash is set to SHA256 and that the encryption bit level is set to 2048.
- Once you validate the information you provided, click Create.
What do I do with the CSR information?
You need to copy the resultant encrypted text request and use your SSL certificate vendor’s website to upload the information.
- You should still be on the Manage LDMG Certificates menu page. If not, go back to it and click on the Display link.
- Copy all of the text from the popup window, making sure you include the —-Begin Certificate Request —- and the —End Certificate Request — information.
- This last step will be different depending on your vendor. You may need to consult them on how they want you to provide the CSR information to them. For DigiCert, I was able to include the certificate signing request during the purchase process.
Once I receive my certificate(s) from my vendor, how do I properly apply them to the CSA?
When your domain URL name has been validated by your certificate vendor, ideally you’ll be able to download a single file with all of the chaining built within. If you can download the certificate as a single file, do so and skip to step five below.
If your certificate vendor provides you each certificate as an individual .crt file (it’s likely you’ll receive three or four .crt files); one certificate related to your chosen domain name, one (maybe two) intermediary certificates, and a trusted root certificate. In this scenario, you’ll need to combine all certificates, including the trusted root certificate, into a single file before you post the information to your Cloud Service Appliance.
- Open all of your .crt files with a text editor like TextWrangler or Notepad ++. Do not use Microsoft Word or Apple Pages.
- Create a new file within your text editor.
- Copy all of the text from your domain name certificate and paste it into your new file.
- Repeat this process for the one or two intermediary certificates and your root certificate. In the end, you should have a file that looks similar to what I’ve pasted below, only you’ll have a lot more text between the beginning and end certificates dashes.
- Go back to the Manage LDMG Certificates menu page and click on the Remove link for all of the self-signed certificates displayed. When finished, you should only have the CSR request.
- Reboot your CSA
- Return to the Manage LDMG Certificates page. You’ll likely see two more self-signed certificates. Remove them as well.
- Click on the Add LDMG Certificates button and paste your entire certificate chain into the box and hit Save.
- Reboot your CSA a second time.
And that’s it! You now have a secured CSA name and should no longer receive certificate errors when browsing to the https://fqdn/gsb page. Furthermore, you’ve implemented one of the prerequisite architecture steps for Ivanti MDM management – putting you one step closer to your desired goal.