Skip to main content
Skip table of contents

UMS as a Certificate Authority (CA) Proxy

With the CA Proxy feature, you can use the IGEL Universal Management Suite (UMS) to enroll endpoint device certificates from an external PKI via the EST protocol.

Briefly, the process is as follows:

As a precondition, a certificate profile has been defined in your PKI. The trust material for establishing an mTLS connection to the PKI has been configured in the UMS. When the endpoint device is configured to use the UMS as a Registration Authority / CA proxy, it sends a Certificate Signing Request (CSR) to the UMS. The UMS forwards this CSR to the PKI using the EST protocol. The PKI returns the signed certificate to the UMS. The UMS then sends the complete CA certificate chain to the device.

This feature has been tested with EJBCA using the following configuration:

  • The EST alias is called “est”

  • The EST alias is set to “RA mode”

Supported Encryption Algorithms for the Device Certificates

For the device certificates, the following encryption algorithms are supported:

  • RSA 2048

  • RSA 3072

  • RSA 4096

  • RSA 8192

  • ECDSA ed25519

  • EC brainpoolP256r1

  • EC brainpoolP384r1

  • EC brainpoolP512r1

  • EC prime256v1

  • EC secp256k1

  • EC secp384r1

  • EC secp521r1

Requirements

IGEL OS Endpoint Devices

  • Endpoint devices with IGEL OS 12.7.2 or higher

IGEL Universal Management Suite (UMS)

  • IGEL UMS 12.09.100 or higher

  • IGEL UMS Enterprise License

PKI / EST Server

  • Your PKI uses Enrollment over Secure Transport (EST) as the protocol

  • Your EST configuration supports the default endpoint for EST as defined in RFC 7030: /.well-known/est/<operation>

  • Your EST alias for the standard endpoint must be named “est“ (Background: The optional CA label as outlined in RFC 7030 Section 3.2.2 is not yet supported by the UMS)

  • For the mTLS connection between the UMS and the PKI, the following encryption algorithms are supported:

    • RSA

    • ECDSA-p-256/384/512

    • ED-25519/448

  • To build the mTLS connection between the UMS and the PKI, the following data and trust material must be available:

    • Hostname of the EST server

    • Port of the EST server

    • A Java Keystore file (.jks) that contains the following:

      • The web certificates for the EST server

      • The key pair for the client certificate and private key that the UMS will use to communicate with the PKI

    • The private key and keystore must have the same password

Configuring the UMS to Act as a CA Proxy

The certificate profile on the PKI and the endpoint device must match.

  1. In the UMS Web App, go to the Devices area and click image-20250820-113920.png.

image-20250820-113814.png

  1. Select the CA Proxy tab and enter the following data:

    • Configuration Name: Display name for your EST configuration

    • CA Hostname: The URL of your EST server

    • CA Port: The port required to connect to the EST server. Default: 443

image-20250822-101757.png

  1. To upload the keystore you have obtained from your PKI, click Upload Keystore and select the keystore file.

image-20250822-102109.png

image-20250820-142510.png
image-20250820-142656.png

  1. Enter the Keystore Password. Note that the keystore and the keys therein must have the same password.

image-20250820-142919.png

  1. To test your connection, click Test Connection.

image-20250822-103946.png

  1. Review your configuration and click Save.

image-20250822-104119.png

Configuring the Endpoint Device to Use the UMS as CA Proxy

Creating a UMS Profile

  1. In the UMS Web App, go to the Configuration section and click image-20250820-143531.png to create a new UMS profile.

image-20250820-143333.png

  1. Enter an appropriate name for the profile and click Select Apps.

image-20250820-144341.png

  1. Select IGEL OS Base System and click Next.

image-20250820-145156.png

  1. Go to Security > Certificates and click image-20250820-145406.png to add a new certificate.

image-20250820-150024.png

  1. Under Friendly Name, enter a name for the certificate.

This name will be used as a directory name for storing the certificate files on the device.

image-20250821-095914.png

  1. Enter the data for the endpoint device’s certificate profile according to the certificate profile you have configured in the PKI.

The certificate profile on the endpoint device and the certificate profile defined in the PKI must match. If the certificate enrollment fails, it is recommended to check the logs of the PKI.

image-20250821-100009.png

  1. Edit the settings for certificate renewal according to your needs.

    • Automatic Renewal: When enabled, the certificate renewal will be triggered automatically, according to the settings below.

    • Units or renewal period: Choose whether the automatic certificate renewal will be triggered after a specified percentage of the validity period has passed or after a specified number of remaining days has been reached.

    • Percentage of remaining validity

    • Days of remaining validity

    • Renewal Period in Percent: Specifies the percentage of the validity period after which the renewal will be triggered. Only effective if Units or renewal period is set to Percentage of remaining validity.

    • Renewal Period in Days: Specifies the number of days remaining before the renewal is triggered. Only effective if Units or renewal period is set to Days of remaining validity.

image-20250821-060104.png

  1. Set Enrollment Protocol to IGEL UMS.

image-20250821-054256.png

  1. When you are done, click Confirm.

image-20250821-054523.png

  1. Review the setting Show notifications to the user. If enabled (default), the user is notified about the certificates on the device.

image-20250821-115634.png

  1. Click Save and Close to finalize your profile.

image-20250821-060302.png

Assigning the Profile to the Devices

  1. Go to the Devices area and select the relevant device or the relevant directory of devices.

image-20250821-061154.png

  1. Set the filter to show only profiles and select the profile you previously created.

image-20250821-061400.png
image-20250821-061755.png
image-20250821-061848.png

The devices will try to obtain their certificates via the UMS immediately.

When Show notifications to the user is enabled (see Creating a UMS Profile, step 10), a notification about the successful certificate enrollment is shown on the device.

How Can I Verify if the Certificate Has Been Deployed on the Device?

→ Open a Local Terminal on the device and check for the following files:

  • /wfs/igel-certs/<FRIENDLY NAME>/cert.pem - The enrolled certificate in PEM format

  • /wfs/igel-certs/<FRIENDLY NAME>/pkey.pem - The private key in PEM format protected by the configured password

  • /wfs/igel-certs/<FRIENDLY NAME>/cacerts.pem - The CA certificate(s)

  • /wfs/igel-certs/<FRIENDLY NAME>/cacerts/<CN>.pem - The CA certificate from the bundle cacerts.pem

→ To review the relevant log entries, enter journalctl | egrep 'rmagent|igel-certs'

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close