The Blue Cedar Connect Gateway provides certificate enrollment for the user to enroll certificates from Blue Cedar-protected apps to the gateway.
This section explains how the gateway's certificate enrollment process works, how to configure an app for the gateway, and how to implement certificate enrollment.
Prerequisites for certificate enrollment
Before you configure the gateway for certificate enrollment, you must meet these requirements:
Create a Secure Microtunnel profile for the gateway and apply the Secure Microtunnel profile to the mobile apps that connect with the gateway.
This Secure Microtunnel profile must be configured to accept:
- The gateway as its VPN server
- The gateway for certificate enrollment
- Hybrid RSA mode as the app's authentication method to the gateway. (See "Configuring IKEv2 Phase 1 and Phase 2 tunnels" in Configuring IPsec using IKEv2 protocol.)
After you secure the app with the Blue Cedar Secure Microtunnel profile, the secured app must be deployed to the mobile device through an MDM, app store, or some other mechanism. For details about creating a Secure Microtunnel profile, see the Blue Cedar platform documentation.
- The end user has valid credentials either as a local user (in the form of a username and password) or via an authentication provider such as Active Directory, LDAP, RADIUS, OAuth, or web authentication. To configure a local user's credentials for the gateway, see Configuring an AAA local user. To configure an authentication provider, see Setting up authentication providers.
The Certificate Authority (CA) deployed in the Enterprise is one of these servers:
- A SCEP server from Entrust or Microsoft Certificate Authority.
- An Enrollment over Secure Transport (EST) server implementing RFC 7030.
- (Optional) If you are using Microsoft Network Device Enrollment Service (NDES) for obtaining client certificates, there are some additional configuration steps to integrate NDES with the Gateway's certificate enrollment. For the details and procedures, see Setting up the gateway for Microsoft NDES.