Understanding the automated certificate management feature

You can configure MVE to manage printer certificates automatically, and then install them to the printers through configuration enforcement. The following diagram describes the end-to-end process of the automated certificate management feature.

The certificate authority endpoints, such as the CA server and server address, must be defined in MVE.

The following CA servers are supported:

• OpenXPKI CA—For more information, see Managing certificates using OpenXPKI Certificate Authority.

• Microsoft CA Enterprise—Users can use either of the following protocols

  • Secure Certificate Encryption Protocol (SCEP)

  • Microsoft Certificate Enrollment Web Services (MSCEWS)

    Note: MSCEWS is the recommended way to connect to Microsoft CA Enterprise server.

For more information, see the following topics:

• Managing certificates using Microsoft Certificate Authority through SCEP

• Managing certificates using Microsoft Certificate Authority through MSCEWS

The connection between MVE and the CA servers must be validated. During validation, MVE communicates with the CA server to download the certificate chain and the Certificate Revocation List (CRL). The enrollment agent certificate or test certificate is also generated. This certificate enables the CA server to trust MVE.

For more information on defining the endpoints and validation, see Configuring MVE for automated certificate management.

A configuration that is set to Use Markvision to manage device certificates must be assigned and enforced to the printer.

For more information, see the following topics:

• Creating a configuration

• Enforcing configurations

During enforcement, MVE checks the printer for conformance.

For Default Device Certificate

• The certificate is validated against the certificate chain downloaded from the CA server.

• If the printer is out of conformance, a Certificate Signing Request (CSR) is raised for the printer.

For Named Device Certificate

• The certificate is validated against the certificate chain downloaded from the CA server.

• MVE creates a self-signed named device certificate on the device.

• If the printer is out of conformance, a CSR is raised for the printer.

Notes:

• MVE communicates with the CA server using supported protocol.
• The CA server generates the new certificate, and then MVE sends the certificate to the printer.
• If a named certificate exists in the printer, then a new named certificate is not created, but a CSR is raised for the printer.

Configuring MVE for automated certificate management

1. Click on the upper-right corner of the page.

2. Click Certificate Authority > Use Certificate Authority Server.

   Note: The Use Certificate Authority Server button appears only when configuring the certificate authority for the first time, or when the certificate is deleted.

3. Configure the server endpoints.

   • CA Server—The Certificate Authority (CA) server that generates the printer certificates. You can select either OpenXPKI CA or Microsoft CA Enterprise.

   • CA Server Address—The IP address or host name of your CA server. Include the full URL.

   • Challenge Password—Challenge Password is required to assert the identity of MVE to the CA server. This password is only required for OpenXPKI CA. It is not supported in Microsoft CA Enterprise.

   From the CA Server Protocol menu, if you select the MSCEWS protocol, you must configure the server authentication mode. From the CA Server Authentication Mode menu, select any of the following:

   • Username and Password Authentication

   • Client Certificate Authentication

   • Windows Integrated Authentication

   Note: Depending on your CA server, see Managing certificates using OpenXPKI Certificate Authority, Managing certificates using Microsoft Certificate Authority through SCEP, or Managing certificates using Microsoft Certificate Authority through MSCEWS.

4. Click Save Changes and Validate > OK.

   Note: The connection between MVE and the CA servers must be validated. During validation, MVE communicates with the CA server to download the certificate chain and the Certificate Revocation List (CRL). The enrollment agent certificate or test certificate is also generated. This certificate enables the CA server to trust MVE.

5. Navigate back to the System Configuration page, and then review the CA certificate.

   Note: You can also download or delete the CA certificate.

Overview

In the following deployment scenario, all permissions are based on permissions set on certificate templates that are published in the domain controller. The certificate requests sent to the CA are based on certificate templates.

For this setup, make sure that you have the following:

• A machine hosting the subordinate CA

• A machine hosting the NDES service

• A domain controller

Required users

Create the following users in the domain controller:

• Service Administrator

  • Named as SCEPAdmin

  • Must be a member of the local admin and Enterprise Admin groups

  • Must be logged locally when the installation of NDES role is triggered

  • Has Enroll permission for the certificate templates

  • Has Add template permission on CA

• Service Account

  • Named as SCEPSvc

  • Must be member of the local IIS_IUSRS group

  • Must be a domain user and has read and enroll permissions on the configured templates

  • Has request permission on CA

• Enterprise CA Administrator

  • Named as CAAdmin

  • Member of Enterprise Admin group

  • Must be a part of the local admin group