Single CA Model
The Single CA model uses only one Certificate Authority. All certificate requests will be processed by that CA. The Single CA model works well in smaller organizations, but larger organizations generally benefit from using a different model.
Having a Single CA makes it easy to administer. There is only one system you have to worry about. The Single CA model can also be very secure. You have to secure only one system. You also have more control over what certificate requests are processed.
The Single CA model does have its disadvantages. First, it doesn’t scale very well. All requests have to go to a single system. This system can become busy processing requests. Having a Single CA also represents a possible single point of failure. If that one system fails, certificate transactions cannot be processed.
Certification authority CA – Digital signature
The CA will ‘stamp’ the certificate with a signature. This signature binds all the other fields (listed above) into the certificate. The certificate identifies the CA via a digital signature but also by the name of the certificate. Certificates are issued by a CA which, by design, is a trusted party that vouches for the identity of those to whom it issues certificates. In order to prevent fake certificates, the CA’s public key must be trustworthy. The CA can publicize its public key or provide a certificate from a higher level CA which attests to the validity of its public key.
Workspace ONE UEM offers several deployment options for Microsoft certificate authorities:
· Workspace ONE UEM to the CA- This model uses the DCOM protocol. Workspace ONE UEM communicates directly with the Microsoft CA or through the AirWatch Cloud Connector to the CA.
Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.
· Mobile Devices to the CA – This model uses the NDES (a Microsoft proprietary version of SCEP) or SCEP protocol. Workspace ONE UEM only delegates certificate transactions between the device and the Microsoft CA.
The Network Device Enrollment Service (NDES) allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).
· Workspace ONE UEM SCEP Proxy – This model uses the NDES or SCEP protocol. Workspace ONE UEM is the proxy that sends certificate transactions between the device and the CA endpoint. The NDES/SCEP endpoint is not exposed to the Internet.
Creating a New Certificate Authority in Workspace ONE UEM:
· In the Workspace ONE UEM Administration Console, go to Devices.
· Click Certificates.
· Click Certificate Authorities.
· Click Add.
· Provide a Name and Description.
· Provide the hostname to reach your certificate server.
· Enter your CA Authority Name (Note: This is the name that appears in your Certification Authority).
· Enter your username of the service account and password.
· Click Test Connection.
· Click Save.
You have successfully created a New Certificate Authority in Workspace ONE UEM.