Fun with Certificates

Fun with certificates. Wow. Certificates in an enterprise are a delicate item to undertake, even just end-point certificates such as users, workstations and SCEP/NDES devices.I finally issued my first certificate to an iPad as a -computer- account following a lot of the blogs on the internet. Now it is time to see if that cert can be used for device authentication on our new wireless overlay. Yeah, we could do generic accounts on the device which is the fall back plan. We've found anything we have to rely on the end point user tends to require a certain amount of support costs. I'll fully document everything this weekend if it works and we are to deploy a successful test (10-100 units). 1 is easy. 10 is work. 100 needs automation. Have to get it relatively automated if possible. No comment on the lack of documentation except on microsoft oriented sites. To those who have created the content, I thank you! My basic sites I visited and followed.

• http://www.kurtdillard.com/StudyGuides/70-640/6.html
• http://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/
• http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx 
• bounty of sub-links to read and understand
• http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/
• http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

Notice the lack of apple content. there is a reason! Bad Apple! You will need to download the iphone configuration utility too. The issue I had is with the X.500 name. There is hints and direction, but people are stingy on this one. My entry looked like

O=mycompany.com, CN=iPad123456

O is our domain listed in the certificate signing piece. If your CA signs certs for devices in mycompany.com, then put O=mycompany.com.

CN is the devices name you gave it. We use our asset tag system. This doesn't have to match much along the way. Until I fixed those I was getting 0x800094001. The other flavored the request subject name is invalid or too long is addressed by the authors above.

The O should be capitalized. So should the CN. including a comma and space might be necessary. Haven't chased the rabbit that far down the hole yet.

Onto the next fun part. Cisco ISE. Oh boy! 1.1 release software is fun.