Skip to main content
McAfee MVISION Cloud

Device Certificate Check and Multiple Certificate Authorities

Introduction

MVISION Cloud provides functionality which will allow an organisation to confirm that a device a user is using to access a sanction corporate solution, like Office 365 or Salesforce, is a managed device by requesting that a corporate deployed certificate exists on the endpoint or application.

The managed device certificate check is part of the SSO workflow integrating with IDP’s, like Okta, Ping, etc using SAML.

Some organisations have multiple Certificate Authorities, for example where one is created as part of their Mobile Device Management solution used to deploy client certificates on supported corporate mobile OS device, and another using say Active Directory where client certificates are automatically distributed to all devices that are joined to the domain.

It is possible for most MDM solutions, and maybe all, to use Active Directory for Certificate services. But this isn’t configured in all cases, maybe where MDM was deployed first and there is no appetite to re-architect and use Active Directory or where there is a requirement to maintain an air gap between these solutions.

This may appear to pose a problem configuring the device certificate check within MVISION Cloud as it would seem that only one Certificate Authority will be supported. 

The purpose of this article is to clarify this point and state that this is not the case and multiple Certificate Authorities can indeed be used.

Step-by-step guide

To support the multiple Certificate Authorities use case, the file that is uploaded as the ‘Root Certificate” simply needs to contain the root certificates of all the certificate authorities.  On an Apple Mac, the easiest way to do this and ensure the format of the original files are preserved is to use the CLI command 'cat'.   

It also possible to copy the contents of the files and paste this into a new file.  If you use this method then please ensure the format of the file, specifically EOL markers, are maintained, else the combined root CA file may not be usable.

  1. On your Apple Mac, open a terminal window and change to the directory where the root certificates are held.
  2. Use the following command replacing the file names as required; cat root_ca1.pem root_ca2.pem > combined_root.pem
  3. Upload this file as the ‘Root Certificate’ and ‘Save’

  4. Test devices with client certificates that have been signed by either of the certificate authorities.

The output of the file will have the following format;

The output of the file will have the following format;

-----BEGIN CERTIFICATE-----

MIIEGTCCAwGgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlTELMAkGA1UEBhMCR0Ix

.....{removed for brevity}.....

x8gNQki2QHEStX3s8c9qy9k4OyJQZNDoLkSRPyB7DTFihUkjx5WJFRjfd1SA

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIEFTCCAv2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBkzELMAkGA1UEBhMCR0Ix

....{removed for brevity}.....

cE9ca3MKDEfi+Bs8jx+lL4ugEjXxHPi/UDWAfeHoLapIFD5O18RGJP6oWqrzkk3n

tNz3NCU0IbvrcO66iNff6bOVFtRpr/SZaeNGWrwIP4/Yn/kQhV//Xss=

-----END CERTIFICATE-----

Certificate Revocation List - CRL

The purpose of the Certificate Revocation list, much as the name suggests, is to maintain a list of certificates signed by the certificate authority that are no longer valid and should be not be trusted, for example, the device with a certificate is lost or the certificate compromised.

Using much the same method as above, it also possible to use the Certificate Revocation Lists produced by the Certificate Authorities in use for this task.

However, it seems, least in my testing, a CRL must be present for all certificate authorities used. If only one certificate authority CRL is used, then the certificates signed by the other certificate authority will be rejected even if valid.

Please note that the CRL will be hosted by a customer provisioned web server and it is their responsibility to maintain this service and ensure the CRL is kept up to date. 

Informational note: you can force MVISION Cloud to retrieve the CRL file from the customer location at any time by making a change in the certificate check section in the MVISION Cloud Cloud Security Manager, for example uploading the root certificate again and ‘saving’ this.

output of the combined CRL will have the following format;

-----BEGIN X509 CRL-----

MIICLjCCARYCAQEwDQYJKoZIhvcNAQEFBQAwgZUxCzAJBgNVBAYTAkdCMQ8wDQYD

....{removed for brevity}....

rVXdb9nfxXWxKSpHLVRACRTfcQjmXj6fdaBaZ7wOQggJRw==

-----END X509 CRL-----

-----BEGIN X509 CRL-----

MIICLDCCARQCAQEwDQYJKoZIhvcNAQEFBQAwgZMxCzAJBgNVBAYTAkdCMQ8wDQYD

....{removed for brevity}....

2cy6LmR43WVJvq4PM6i9LPDgYQXuxlABH/2kD8xsIw/KiyS3LxPNJUcfKApfKnas

x3X3t2JCiyDL7aH7NkcMT59t+RAgYJA1YkvAHrjvJgU=

-----END X509 CRL-----

An example finished configuration is shown below;

 

  • Was this article helpful?