WIXLIB

EM L12 Symantec Mobile Management and Managed PKIHands-On LabDescriptionBuilding and Managing a Certficate Authority infrastructure tosupport your Mobile Management infrastructure can be timeconsuming and cost prohibitive. Utilizing a VeriSign managedPKI infrastructure can help to alleviate these burdens. In thishands on lab students will have the opportunity to configure theSymantec Mobile Management environment to work with thehosted mPKI solution and understand the benefits andadvantages associated with it’s use.This lab assumes a basic familiarity with SMM 7.1 and the SMPplatform.At the end of this lab,you should be able toNotes Understand the advantages of hosted PKI services Understand the requirements for working with a managedPKI account Be able to submit a CSR request to the PKI portal Import the required certificates for use with managed PKI Configure SMM to use a hosted SCEP configuraton profile A brief presentation will introduce this lab session anddiscuss key concepts. The lab will be directed and provide you with step-by-stepwalkthroughs of key features. Feel free to follow the lab using the instructions on thefollowing pages. You can optionally perform this lab atyour own pace. Be sure to ask your instructor any questions you mayhave. Thank you for coming to our lab session.

Getting StartedBefore you begin, you will need to be sure that the SMM-Exchange and SMM-Servervirtual machines have been started (in that order). Once the VM’s have finished loading,you will be ready to begin. Unless otherwise stated, all of the exercises should bedone from the SMM-Server virtual machine.Setup a Symantec Managed PKI AccountInstalling the Managed PKI Account follows a series of steps. The Symantec PKI client isinstalled first. The PKI client enables you to install the PKI Manager Sign-in Certificate,which is required to securely access the PKI Manager portal. An administrator of themanaged account needs to setup the Symantec Managed PKI Account. You need toconfigure access to your PKI account from the machine you will use to manage theservice. The required certificate for account access will be installed on your workstation.For purposes of these lab exercises, the required account and access certificate andCertificate profile have already been installed and created for you.Verify the Symantec PKI client installationIn these next step we will verify that the above requirements are installed and ready foruse.1. On the SMM-Server virtual machine, open Start Control Panel2. Select Programs Programs and Features3. Verify that the Symantec PKI Client is listedVerify that the PKI Manager Sign-in Certificate is installedOpen a MMC certificates snap-in to the ‘Current User’ account1. Open the MMC console by clicking Start, type MMC in Search box, and the clickReturn when mmc.exe appears.2. Select File Add/Remove Snap-in , Highlight ‘Certificates’ and move toSelected snap-ins with the Add button.3. Leave default setting of My user account and click Finish.4. Click OK to save changes.5. Expand Certificates Personal and select Certificates6. Verify that the Scott Jareo Certificate, issued by Symantec Class 3 Admin isinstalledNote: This certificate is used for authentication to the PKI portal, and must beinstalled on the machine you will use to manage the service2 of 10

Verify the Certificate ProfileTo be able to issue certificates from the PKI manager you must first configure thecertificate profile that can be used to generate certificates. In this exercise we will walkthrough the configuraton of this profile, but will not create it as one has already beencreated for this lab.1. Open a browser and navigate to the Symantec Managed PKI Portal pagehttps://pki-manager.symauth.com/pki-manager/2. Click OK to confirm the Test Drive – Admin Certifcate (previously viewed)3. Enter the required PIN: mpkilab4. Click OK to login5. Click on the “Manage Certificate Profiles” icon on the bottom of the screen.6. Verify the lab created Profile is already created called TFE Lab, under the ‘CertifcateProfiles found’ column.The following steps will walk through how this profile was created, we will not need tosave an additional profile.1. Click on the “Add Certficate profiles” link at the top left hand of the page.2. The Managed PKI Portal displays the “Create Profile” wizard with the “Select Mode”page first.3. Select “Production mode” and click Continue3 of 10

4. The Managed PKI Portal displays the “Select Template” page.5. Select “Secure Sign-in” and then click Continue.6. The Managed PKI Portal displays the “Customize certificate options” page.7. Enter a “Certificate Friendly Name”.8. Under Primary certificate options, select ‘Enrollment method’ box and change the“Enrollment Method” drop box setting to “SCEP”9. Click Continue to accept the change in enrollment method10. Click on Advanced Options and verify that the “SubjectAltName” contains a fieldcalled “otherName (UPN)” and it’s source is set to “SCEP Request”11. Click “Cancel” We do not need to save this particular profile as one has already beencreated.4 of 10

Generate a Certificate Signing RequestIn order to work with the Symantec managed PKI certificate you need to generate a CSRthat can be submitted to VeriSign to create the required RA certificate. This request isgenerated from a trusted machine running IIS. This does not have to be the MobileManagement Server. You can create the RA certificate on a different computer andexport it to be used on the Mobile Management Server. You can also create the RAcertificate on the Mobile Management Server to avoid needing to export/import thecertificate. We will follow that scenario in the following exercise.1. Open IIS Manager, Select Start Control Panel Administrative Tools InternetInformation Services (IIS) Manager, or use the Start menu shortcut.2. Under Connections, Select the SMM-Server, and then double-click ServerCertificates under IIS in the SMM-Server Home column.3. Click on “Create Certificate Request” under the Action tab on the far right pane.4. The system displays the “Request Certificate” wizard starting with the “DistinguishedName Properties” page.5. Enter the following information and click “Next”: Common Name - The name that is attached to your certificate request,this can be any name you will recognize to identify the certificate. Organization - The name of your organization. Organizational unit - The name of the group or department within your organization City/locality - The city or locality where your organization is located. State/province - The state or province where your organization islocated. Country/region - The country or region where your organization islocated.6. Leave the default “Microsoft RSA SChannel Cryptographic Provider” for the“Cryptographic service provider” and select “2048” for the “Bit length”7.Click “Next”8. Click the ellipsis button to browse to a file location9. Select Desktop as the file locaton, enter a file name, (e.g. csrreq.txt), and Click Open10. Click Finish, certificate request file will be saved on the desktop.5 of 10

Create and install the Intermediate and RA CertificatesYou must now create an RA Certificate to secure communications and identify yourselfto Managed PKI. In communications with Managed PKI, the RA certificate is used as aTLS/SSL client authentication certificate. The steps to configure are as follows:Creating your Certificate request1. In your browser, navigate back to the Symantec Managed PKI Portal er if not still open.2. Click on the “Tasks” icon and select “Get an RA certificate”3. The Managed PKI Portal displays the “Get an RA Certificate” wizard displaying the“Enter CSR” page.4. Open the CSR file previously created on the server desktop5. Hit CTRL A to ‘Select All’ text6. Hit CTRL C to copy and then paste the CSR text into the provided form in the PKIportal7. Click the “Cancel” button. We do not need to submit this request as one has alreadybeen created for this lab.Note: Hitting continue would create the certificate file and provide you an opportunityto download the file. For purposes of this lab environment that file has already beencreated and downloaded to your VM environment. PLEASE DO NOT SUBMIT ANEW REQUEST,6 of 10

Completing the certificate requestWe will now walk through the steps reguired to complete the certificate request inpreparation for installing the certifcates.Export the Intermediate Certificate1. On the SMM-Server VM, navigate to C:\EM L12 MPKI2. Open the RA-Certificate.p7b certificate file (This is the file that would be downloadedfrom the PKI portal in the previous step)3. Navigate to the “Certificates” sub-folder.Note: The certificate file contains 2 files, the RA certificate (Registration Authority###########) and an intermediate certificate. Certificates need to be installed on theSMM server. If the certificate request was generated on a server other than the SMMserver, you would need to complete the certificate process for the RA certificate andexport that certificate to be installed on the SMM server.4. Right-click the intermediate certificate to export it All Tasks Export to open thecertificate export wizard.5. Click Next6. Leave the default DER encoded binary X.509 (.CER) file type selection and click Next7. Browse to a file path location such as Desktop to name the file and save it, click Next8. Click Finish to export the file.Export and the RA CertificateFollow the steps 4 - 8 above to export the RA certificate to the desktop as a .CER file.Then complete the following:7 of 10

1. Open IIS. I.e. Select Start Control Panel Administrative Tools InternetInformation Services (IIS) Manager.2. Select the server, and then double-click Server Certificates.3. Click on “Complete Certificate Request” under the Action tab on the far right pane.4. Click the ellipsis button and browses to the RA certificate that was previouslyexported.5. Enter a certificate friendly name in the “Friendly name” field and click OK.6. The certificate will now be shown in the IIS Server Certificates page.7. Select the certificate and click the ‘Export’ link on the right hand side8. Browse to save the file to the Desktop and give the certificate a password. The filewill have a .pfx extension.Configure SCEP Profile1. In your browser, navigate back to the Symantec Managed PKI Portal er if not still open.2. Click on the “Manage Certificate Profiles” icon.3. Select the ‘TFE Lab’ Certificate profile previously created.4.5. Select and copy the endpoint URL found under ‘Manage this profile’E.g. 1.16.1.2.3.5.1.1364019/cgi-bin/pkiclient.exe6. Open the SMM console from the shortcut on the desktop and navigate to Home Mobile Management7. Select Device Management Configuration Editor.8 of 10

8. Under the iOS Configuration column, Click on SCEP and then click on the newpayload icon (yellow asterisk) in the right pane.9. Enter a name and description for the new SCEP payload10. Paste the certificate profile endpoint as the URL.11. In addition, enter the following: Enter the Subject field as CN Authentication Certificate Leave the challenge field blank. Set key size to 2048. Enable both boxes: Use as digital signature, use for key encipherment.12. Click Save Changes9 of 10