I am constructing an IOS MDM Server. I have implemented SCEP server to handle GetCACert, GetCACaps and PKIOperation.
I have issued identity certificate with the validity of 3 years. I will later use the issued public identity certificate for verifying MDM Signature and Encryption.
Now my questions are,
Question 1: What should I do if my identity certificate expires after 3 years? How should I renew it before expiring?
For testing purposes I issued an expired Identity certificate from my SCEP server. I am getting Update Profile option as mentioned in this question.
But the problem is,
Question 2: Is there any way this process can be automated? If any certificate in the profile is going to expire, instead of waiting for user invoked update process, shall we automate this?
Question 3: Another interesting thing is, even after the identity certificate is expired, I was able to send remote management commands encrypted using the expired certificate. Device also decrypted it with the corresponding private key and command was executed successfully. Am I missing anything here? If expired certificate works, then what is the point in updating it? Please correct me, If I am wrong.
What should I do if my identity certificate expires after 3 years? How should I renew it before expiring?
You should renew the certificate before expiry. If not removed, Profile will turn red and you will get Update profile option.By clicking Update Profile option, device sends HTTP request to the profile URL. As a response you can reissue Profile along with SCEP payload to generate new Identity certificate.
All these things happened only after manually clicking Update Profile option. Is there any way this process can be automated? If any certificate in the profile is going to expire, instead of waiting for user invoked update process, shall we automate this?
Yes you can. Before certificate expiry(You should be able to identify the Identity certificates which gonna expire in the MDM server, Since those certificates should be maintained for later encryption and signature validation), you can send InstallProfile command to the device with the updated profile. Payload can have MDM, SCEP payload. Note that, you cannot change Topic, ServerURL, CheckinURL and Upgrade access rights.
Since SCEP payload is sent, certificate enrolment process will start again and you can issue certificate with new validity.
Another interesting thing is, even after the identity certificate is expired, I was able to send remote management commands encrypted using the expired certificate.
Please refer this question. You can encrypt data using expired certificate. If certificate is expired, Private key may be abandoned or compromised. So client which is going to accept the certificate should validate its expiry date if it doesn't wants to use public key pair of abandoned or compromised private key. Here client is MDM Server and Private key owner is Device. Perhaps device's private key cannot be abandoned anyway. So decryption is working properly.