Certificate-Based Authentication and SCEP

ENTERPRISE / 08.27.15 / EK Choi

Image taken from page 59 of 'A History of the City of Brooklyn and Kings County ... Edited, with introduction and notes, by A. Black'

Certificate-Based Authentication (CBA) is a convenient way of authenticating enterprise users. Users are authenticated via their corporate issued, trusted certificates without being prompted to enter their ID and password. It is also easier to manage as the life cycles (issue, renew and revoke) of certificates can be systematically maintained by CA (Certificate Authority). However, for IT administrators in large-scale enterprises, implementing certificate-based authentication could be a big challenge if the deployment of certificate and enrollment process is done manually. SCEP (Simple Certificate Enrollment Protocol) is an IETF(Internet Engineering Task Force) protocol that simplifies the process of enrolling certificates to a large number of devices. SCEP contains information about how devices connect to and where to obtain certificates from using a SCEP service (a.k.a NDES, Network Device Enrollment Service). It doesn’t require administrator’s input or approval to issue each certificate. For that benefit, it is widely used with MDM systems as a self-service device registration service. Although it depends on the device capabilities and activation type, once SCEP profiles are delivered to devices and CA issued certificates are successfully generated and enrolled, devices and applications can use the certificates to:

  • Authenticate using SSL/TLS when connecting to webpages that use HTTPS
  • Authenticate with a work mail server
  • Authenticate with a work Wi-Fi network or VPN
  • Encrypt and sign email messages using S/MIME protection

How to receive CA certificates via SCEP:
When a user connects to the BES system, activating his/her enterprise device via enterprise credentials, BES authenticates the user against its connected directory service (AD) and communicates with a trusted SCEP server, retrieves a one time challenge password, then encodes the password into a command that is going to be delivered to the device. When the SCEP configuration package is delivered to the device, the device will send the SCEP request to the NDES server with the password that came with the SCEP profile. NDES server then verifies the received challenge password to the one issued originally and communicates with its CA server to get a certificate issued for the device. SCEP was designed for scalability not security, but during this process BES connectivity provides a secure IP tunnel and ensures a secure transport of the certificates to users devices.

With BES12.2, SCEP profiles are supported on BlackBerry10, iOS, and Android. BlackBerry10 and iOS supports SCEP natively. Android, on the other hand, doesn’t support SCEP client natively. So manually generating and deploying certificates for Android can be very time consuming. To resolve this, BES12 Client application, which is available on the Google Play store, has a built-in SCEP client to store the SCEP profile in the app, initiating and supporting the certificate enrollment process. This also enables the SCEP support for AfW, Samsung KNOX and Android Secure-Work-Space. Windows Phone devices do not support SCEP.

How to configure SCEP:
The configuration of the SCEP profile is usually performed by IT or BES admins. The process includes the following steps.

  1. Create SCEP Profile on BES12.
  2. Configure SCEP Profile for BlackBerry10, iOS and Android to deploy.
  3. Configure Web service to request AD mapped client certificate authentication.
  4. Configure AD to handle certificate authentication.
  5. Verify SCEP profile settings and NDES configuration requirements for BlackBerry Device Service.

Certificate-Based Authentication in Action:
What’s next is to use the CA issued certificates to authenticate users and devices. Once certificates are enrolled, users will be able to access corporate resources over SSL (Secured Socket Layer). Devices use the CA certificate to trust the identity associated with any client or server certificate that has been signed by that CA. Browsers support CBA out-of-box. So when the web server behind the corporate firewall requests a client certificate, browser will provide a CA issued certificate on the device, or application (in the case of Android) and sends it to the server to get authenticated. CBA can also be configured as Enterprise SSO profile on BES12.2.

That’s it for today. Stay tuned for our future blogs about authentication!

EK Choi

About EK Choi

EK is a member of the Enterprise Solutions Team, helping developers to create secure applications using BlackBerry solutions and services.