Skip to main content
McAfee Enterprise MVISION Cloud

Device Certificate Check and Multiple Certificate Authorities

MVISION Cloud allows you to confirm that a device used to access a sanctioned corporate solution, like Office 365 or Salesforce, is managed. It does so by requesting that a corporate deployed certificate exists on the endpoint or application. The managed device certificate check is part of the SSO workflow integrating with IdPs, like Okta or Ping, using SAML.

Some organizations have multiple Certificate Authorities. For example, one is part of their Mobile Device Management solution used to deploy client certificates on supported corporate mobile operating system device. Another uses Active Directory where client certificates are automatically distributed to all devices that are joined to the domain.

It is possible for most MDM solutions to use Active Directory for Certificate services. But this isn’t configured in all cases. Maybe MDM was deployed first and there is no appetite to rearchitect and use Active Directory. Or there is a requirement to maintain an air gap between these solutions.

This might appear to pose a problem configuring the device certificate check within MVISION Cloud as it seems that only one Certificate Authority is supported. 

The purpose of this article is to clarify this point and state that this is not the case and multiple Certificate Authorities can indeed be used.

Step-by-step guide

To support the multiple Certificate Authorities use case, the file that is uploaded as the ‘Root Certificate” simply needs to contain the root certificates of all certificate authorities. On a Mac, the easiest way to do this and make sure the format of the original files are preserved is to use the CLI command 'cat'.   

It also possible to copy the contents of the files and paste this into a new file. If you use this method, make sure to maintain format of the file, specifically EOL markers. Otherwise, the combined root CA file might not be usable.

  1. On your Mac, open a terminal window and change to the directory where the root certificates are held.
  2. Use the following command replacing the file names as needed; cat root_ca1.pem root_ca2.pem > combined_root.pem
  3. Upload this file as the ‘Root Certificate’ and ‘Save’
  4. Test devices with client certificates that are signed by either of the certificate authorities.

The output of the file has the following format;

The output of the file has the following format;

-----BEGIN CERTIFICATE-----

MIIEGTCCAwGgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCR0Ix

.....{removed for brevity}.....

x8gNQki2QHEStX3s8c9qy9k4OyJQZNDoLkSRPyB7DTFihUkjx5WJFRjfd1SA

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIEFTCCAv2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCR0Ix

....{removed for brevity}.....

cE9ca3MKDEfi+Bs8jx+lL4ugEjXxHPi/UDWAfeHoLapIFD5O18RGJP6oWqrzkk3n

tNz3NCU0IbvrcO66iNff6bOVFtRpr/SZaeNGWrwIP4/Yn/kQhV//Xss=

-----END CERTIFICATE-----

Certificate Revocation List - CRL

The purpose of the Certificate Revocation list is to maintain a list of certificates signed by the certificate authority that is no longer valid and might be not be trusted. For example, the device with a certificate is lost or the certificate compromised.

Using much the same method as above, it is also possible to use the Certificate Revocation Lists produced by the Certificate Authorities in use for this task.

But, it seems, a CRL must be present for all certificate authorities used. If only one certificate authority CRL is used, the certificates signed by the other certificate authority are rejected, even if valid.

The CRL is hosted by a customer-provisioned web server and it is their responsibility to maintain this service and make sure the CRL is kept up to date. 

NOTE: You can force MVISION Cloud to retrieve the CRL file from the customer location by changing in the certificate check section in the MVISION Cloud Cloud Security Manager. For example, upload the root certificate again and save it.

The output of the combined CRL has the following format;

-----BEGIN X509 CRL-----

MIICLjCCARYCAQEwDQYJKoZIhvcNAQEFBQAwgZUxCzAJBgNVBAYTAkdCMQ8wDQYD

....{removed for brevity}....

rVXdb9nfxXWxKSpHLVRACRTfcQjmXj6fdaBaZ7wOQggJRw==

-----END X509 CRL-----

-----BEGIN X509 CRL-----

MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkdCMQ8wDQYD

....{removed for brevity}....

2cy6LmR43WVJvq4PM6i9LPDgYQXuxlABH/2kD8xsIw/KiyS3LxPNJUcfKApfKnas

x3X3t2JCiyDL7aH7NkcMT59t+RAgYJA1YkvAHrjvJgU=

-----END X509 CRL-----

An example finished configuration is shown below;

 

  • Was this article helpful?