You can configure MVE to manage printer certificates automatically, and then install them to the printers through configuration enforcement. The following diagram describes the end-to-end process of the automated certificate management feature.
The certificate authority endpoints, such as the CA server and server address, must be defined in MVE.
The following CA servers are supported:
OpenXPKI CA —Users can use either of the following protocols:
Secure Certificate Encryption Protocol (SCEP)
EST Connector
Notes:
Microsoft CA Enterprise —Users can use either of the following protocols
Secure Certificate Encryption Protocol (SCEP)
Microsoft Certificate Enrollment Web Services (MSCEWS)
Notes:
The connection between MVE and the CA servers must be validated. During validation, MVE communicates with the CA server to download the certificate chain and the Certificate Revocation List (CRL). The enrollment agent certificate or test certificate is also generated. This certificate enables the CA server to trust MVE.
For more information on defining the endpoints and validation, see Configuring MVE for automated certificate management .
A configuration that is set to Use Markvision to manage device certificates must be assigned and enforced to the printer.
For more information, see the following topics:
During enforcement, MVE checks the printer for conformance.
For Default Device Certificate
The certificate is validated against the certificate chain downloaded from the CA server.
If the printer is out of conformance, a Certificate Signing Request (CSR) is raised for the printer.
For Named Device Certificate
The certificate is validated against the certificate chain downloaded from the CA server.
MVE creates a self-signed named device certificate on the device.
If the printer is out of conformance, a CSR is raised for the printer.
Notes:
Click
on the upper-right corner of the page.
Click Certificate Authority > Use Certificate Authority Server .
Configure the server endpoints.
CA Server —The Certificate Authority (CA) server that generates the printer certificates. You can select either of the following:
OpenXPKI CA
Microsoft CA- Enterprise
The CA server must implement the EST protocol as defined in RFC 7030.
EST is the recommended protocol to connect to the OpenXPKI CA server.
CA Server Address —The IP address or host name of your CA server. This field is only applicable for SCEP and EST protocols.
For MSCA server (using SCEP): <Server IP Address or Hostname>/certsrv/mscep/mscep.dll
For OpenXPKI server (using SCEP): <Server IP Address or Hostname>/scep/scep
For EST, type any of the following:
https://172.87.95.240
https://estserver.com
estserver.com
CA Server Label (Optional) — If the user creates a new realm, the same realm name must be put in this field.
CEP Server Address — This field is only applicable for the MSCEWS protocol.
For Username and Password Authentication: https://democep.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP
For Windows Integrated Authentication: https://democep.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
For Client Certificate Authentication: https://democep.com/ADPolicyProvider_CEP_Certificate/service.svc/CEP
CA Server Hostname —The host name of your CA server.
CES Server Hostname —The host name of your CES server.
Challenge Password —Challenge Password is required to assert the identity of MVE to the CA server. This password is only required for OpenXPKI CA. It is not supported in Microsoft CA Enterprise.
If you select EST protocol, then from the CA Server Authentication Mode menu, select any of the following:
Username and Password Authentication
Client Certificate Authentication
If you select MSCEWS protocol, then from the CA Server Authentication Mode menu, select any of the following:
Username and Password Authentication
Client Certificate Authentication
Windows Integrated Authentication
SCEP protocol only supports the Challenge Password authentication mode.
Click Save Changes and Validate > OK .
Notes:
Notes:
After clicking Save Changes and Validate , the CEP Template Selection window appears.
Select one or more from the available templates.
The Use Certificate Authority Server dialog fetches the certificate revocation list.
A dialog confirms that certificate validation is successful.
You can see the selected CEP templates in the CA server configuration page.
Navigate back to the System Configuration page, and then review the CA certificate.
In the following deployment scenario, all permissions are based on permissions set on certificate templates that are published in the domain controller. The certificate requests sent to the CA are based on certificate templates.
For this setup, make sure that you have the following:
A machine hosting the subordinate CA
A machine hosting the NDES service
A domain controller
Create the following users in the domain controller:
Service Administrator
Named as SCEPAdmin
Must be a member of the local admin and Enterprise Admin groups
Must be logged locally when the installation of NDES role is triggered
Has Enroll permission for the certificate templates
Has Add template permission on CA
Service Account
Named as SCEPSvc
Must be member of the local IIS_IUSRS group
Must be a domain user and has read and enroll permissions on the configured templates
Has request permission on CA
Enterprise CA Administrator
Named as CAAdmin
Member of Enterprise Admin group
Must be a part of the local admin group