You must change the default certificate that comes with the appliance before you can successfully register mobile devices. For security reasons that are well-documented, as well as for administrator and user convenience, we highly recommend that you change the default certificate on the appliance to a well-known Certificate Authority signed certificate. For more information, see Changing the Certificates on the Appliance.
Before you change the certificate on the appliance, ensure that your environment meets the following requirements:
The appliance must be installed and running with a DNS entry that points to it.
The certificate must be at least 2K key size (4K preferably) using SHA256.
The certificate must be signed by a Certificate Authority, preferably a well-known Certificate Authority. If you choose to use a self-signed certificate, it must be flagged as a certificate authority.
If you use a self-signed or non-public CA-signed certificate, users must also install the certificate on their mobile devices. For more information, see the following topics:
You can generate a self-signed certificate and use it on the appliance, but if you do so, you must also perform the steps in Installing a Self-Signed Certificate on the Mobile Device to ensure that you can successfully register mobile devices. You can run the Java 7 keytool on a computer other than the appliance to generate the certificate.
To generate a self-signed certificate:
Using the Java 7 keytool, use the following commands replacing name and appliance_dns_name:
keytool -genkeypair -keystore name.p12 -storepass changeit -sigalg SHA256withRSA -keyalg RSA -keysize 4096 -dname "CN=appliance_dns_name" -validity 365 -storetype pkcs12 -ext bc=ca:true
name can be anything you want, as long as it is the same between the two commands, and you can find it when you want to upload it.
appliance_dns_name must be the DNS name of the appliance.
The output of this command is a .p12 format file. You can use this file to replace the default certificate on the appliance. (Use the password of changeit when the administration console prompts for it.) For more information, see Changing the Certificates on the Appliance.
To get the public certificate from that keyfile (which you will use when you perform the procedure in Installing a Self-Signed Certificate on the Mobile Device), use the following command, replacing name with the same value from above:
keytool -export -keystore name.p12 -storetype pkcs12 -alias mykey -file name.cer -storepass changeit
The output of this command is a name.cer file that you can use later.
This procedure is required only if you used the commands in Replacing the Default Certificate on the Appliance to generate the certificate. If you are using a certificate signed by a well-known Certificate Authority, you can skip this section.
To install a self-signed certificate on the mobile device:
Take the name.cer file that you generated in Replacing the Default Certificate on the Appliance and email it to the user who has an email account configured on the mobile device. Alternatively, you could put it on a web or FTP site that is accessible from the mobile device.
Open the email (or web/FTP site) on the mobile device and tap the certificate attachment.
In the Install Profile window, tap Install.
Read the warning, then tap Install.
Verify that the certificate reads “Trusted” with a green check mark in the Profile Installed window.
(Conditional) If the certificate is not trusted, something is wrong with the certificate and the MobileAccess app will not work. Go back and try to generate the certificate again.
Tap Done.
Verify that this procedure worked by entering the appliance DNS name in the Safari address bar and ensuring that there is no warning about an untrusted certificate.
NOTE:This step does not currently work in Chrome.
This certificate is installed on the Settings > General > Profiles page on the mobile device and can be removed from that location on the device.
The server certificate and the trusted root certificate need to be at least 2K in size.
After you have replaced the default certificate on the appliance, you can continue with MobileAccess installation and configuration.