Pre-configuration tasks for implementing certificate enrollment
Depending on your network topology and environment, you may need to perform some or all of the following tasks for the servers that the gateway depends on for certificate enrollment:
Add gateway users to a directory service
If you are not using the gateway's built-in database ("local") to store the credentials for gateway users, then you must specify an external directory service that contains these user credentials. The gateway supports several authentication services. For details about configuring the gateway for each service, see Setting up authentication providers.
Retrieve a challenge password.
If you are using a certificate enrollment server such as Entrust Authority Enrollment Server for VPN or Microsoft NDES, the challenge passwords must match on the gateway and Entrust Authority Enrollment Server for VPN or Microsoft NDES—otherwise the authentication between the gateway and certificate enrollment server fails. In other words, the challenge password must match on the gateway and the certificate enrollment server. For details about setting the challenge password, see Setting up the gateway for Microsoft NDES .
For single-password mode: Retrieve the password from the MS SCEP administrator web page and set the challenge-password in the request template parameters on the gateway. This challenge password is used in two places: when the gateway authenticates itself to the certificate enrollment server and when configuring a Certificate Signing Request template for the gateway. Single-password mode can be used with NDES, Entrust, or any SCEP server type.
For one-time-rotating password mode: Configure the one-time-password parameters to point to the MS SCEP administrator web page, then the gateway queries for the password on each enrollment. See the instructions for setting up rotating challenge passwords in Setting up the gateway for Microsoft NDES.
If you require that your mobile device users enter a PIN to complete certificate enrollment, then you must use an email server and create an administrator email account, which the gateway uses to send the certificate enrollment PIN to a mobile device user. The device user enters the PIN to complete certificate enrollment. Later, you will configure the gateway so it can connect to the email server and send the PIN to the device user. For details about configuring the enrollment PIN, see Configuring certificate enrollment for the gateway.