Pushing CA certificates on enterprise devices using 42Gears UEM

Digital certificates authenticate enterprise users and ensure secure access of corporate emails, Wi-Fi and other resources. SCEP (Simple Certificate Enrollment Protocol) is a convenient way to obtain digital certificates on a large scale and streamline endpoint authentication process. For this reason, most UEM systems integrate deeply with Certificate Authorities over SCEP, to automate endpoint authorization and authentication before granting them access to enterprise resources.

Pushing CA certificates on enterprise devices using 42Gears UEM - Flow

How EMM integrates with CA Server over SCEP?

To push certificate on a device, an MDM administrator has to apply a profile containing a SCEP certificate to a device, the MDM server then contacts the CA server to obtain an OTP. The CA server responds with a HTTP 401 (Unauthorized) code. In response to this, the MDM server provides its credentials to the CA server. If the credentials are correct, the CA server then issues an OTP to the MDM server. The MDM server then creates an encrypted certificate request and sends it to the CA server along with the OTP. The CA server then issues a certificate to the MDM, which in turn applies it to the device.


Steps to integrate and push CA certificates from 42Gears UEM

1. Configure Certificate Management in Account Settings

To get SCEP enrolled into the devices, the admin needs to login to SureMDM Web Console and go to Account Settings and click on Certificate Management:

Pushing CA certificates on enterprise devices using 42Gears UEM - Step 1

A screen similar to the one below will appear which has the CA Server Address, Certificate Template, Certificate Renewal Period, Common Name Wildcard, Alternate Name Wildcard. Once all these fields are filled by admin,   check Enable OTP and Save it.

Note: The above mentioned fields need to be filled by an admin in AD server, which will then automatically be fetched through MDM while enrolling the SCEP on devices after entering the CA server address.

2. Create a Profile and include certificate using SCEP

iOS/Android EMM profiles can be configured to include SCEP certificate. For example, in iOS, go to Profiles, select iOS and select Certificate profile.  A prompt will appear and you will have to check the Create Certificate Using SCEP option.

Pushing CA certificates on enterprise devices using 42Gears UEM - Step 3

3. Use certificate for authenticating against enterprise resource

Once the certificate using SCEP is included in your profile, you can now use this certificate for authentication against enterprise resources like Wi-Fi, Email, etc. For example, in the same profile mentioned in step no. 2 above, go to the Wi-Fi tab and configure it and then click on Add.  A window will prompt to enter the SSID, select Security Type supported as EAP/TLS, check the Certificate Based Authentication and Auto Join options and save it.

Updated - Pushing CA certificates on enterprise devices using 42Gears UEM - Step 2

4. Push profile to devices

We can now save above profile and apply it to any devices enrolled in SureMDM. Once pushed to the device, the 42Gears UEM will query CA server over SCEP to obtain certificate for that device, bundle it in its payload and push it to device. The UEM agent on device will receive the payload, extract certificate from it and install on the device, making it available for other apps like email client, VPN client, for authentication.

Pushing CA certificates on enterprise devices using 42Gears UEM - Step 4

5. Verify certificate on device

Once the profile is  successfully deployed, you can see the EMM installed certificates by going  to the device Settings > General > Device Management.

Once  the device is secured with SCEP certificate,  In the case of any certificate being lost or leaked, the admin can revoke the particular certificate for that device without disturbing the other certificates and devices. This is the major advantage of having certificates per employee over the single gold certificate that work for all devices in the organization.

Updated - Pushing CA certificates on enterprise devices using 42Gears UEM - Step 5

6. Renew and Revoke certificates

To renew or revoke  any certificate, we need to go to Account Settings > Certificate Management > Get Managed Certificates. Here you  can see a list of all the certificates issued by CA server on EMM request. The admin can choose to either Revoke or Renew these certificates from here. SureMDM can also auto renew the certificates on expiration.

Pushing CA certificates on enterprise devices using 42Gears UEM - Step 6

In enterprises, employees are often allowed to bring their own devices at work. They access enterprise resources on their devices from anywhere which might put the corporate resources at risk. In addition to regular password based authentication, enterprises should bring in that extra layer of security through certification based authentication. This gives greater control and flexibility in the hands of IT admins.

With Certification Based Authentication (CBA), pushing certificates manually on multiple devices is time consuming and laborious, so integrating and automating this workflow using a UEM solution saves a lot of effort and time for IT admins. Organisations must ensure that the UEM solution they are using, properly integrates  with certification authority servers.


42Gears’ UEM solution supports integration with most CA servers over SCEP, allowing seamless deployment of certificates to enterprise devices.


If you are looking for the UEM solution which can be integrated well with CA certificates,Try 42Gears’ UEM solution here.

Exclusive News and Updates on Enterprise Mobility!

Subscribe for our free newsletter

Leave a Comment