Using a Private SSL requires companies to push the HTTPS certificate manually to the iOS device via iPhone Configuration Utility. This is because the company root CeA is unknown to the iOS device. If you have several iOS devices, you have to physically connect the devices to deploy the SSL certificate.

1. Install a standalone CA on the Policy Server. Refer to the following links:
   • Deploying SCEP Server on Windows 2003
   • Deploying SCEP Server on Windows 2008
2. Generate a CSR for the SSL certificate.
3. Sign and export the SSL certificate.
   1. Go to Start > Administrative Tools > Certification Authority.
   2. Right-click the server name, and then click All Tasks > Submit New Request.

      

   3. Select the CSR you created.

      

   4. Go to Pending Requests and right-click the request, and then select Issue.

      

      The request will immediately disappear and will reappear under Issued Certificates.

      

   5. Export the root and child CA.

      To export the child CA:

      1. Double-click the newly issued CA.

         

      2. Go to the Details tab and click Copy to File. The Certificate Export Wizard appears.

         

      3. Click Next.
      4. Select the DER encoded binary X.509 (.CER) option, then click Next.

         

      5. Name the file as "Child-CA.cer" and save it in a target directory.

         

      6. Check and verify the information provided and click Finish. A window will appear saying the export was successful. 
      To export the root CA:
      1. On the same certificate, go to the Certification tab.
      2. Select the top certificate and click View Certificate.

         

      3. Go to the Details tab, select Copy to File and then click Next.

         

      4. Select DER encoded binary X.509 (.CER) then click Next.

         

      5. Name the file as “Root-CA.cer” and save it in a target directory.
      6. Verify the information provided and click Finish. A window should appear saying that the export was successful.
      7. Click OK to close all windows.
4. Apply the Private SSL certificate on the Policy server.
   1. Open the IIS Manager, right-click the OfficeScan virtual website and select Properties.
   2. Go to the Director Security tab, click Server Certificate, and then click Next.

      

   3. Select Process pending request and install the certificate, and then click Next.

      

   4. Select the child certificate Child-CA.cer when the wizard prompts for what certificate to install. Then click Open and select the default settings.

      

   5. Click OK to close the OfficeScan virtual website properties.
   6. Start the OfficeScan virtual website to make sure that the changes take effect.
      The Private SSL certificate is now binded to the OfficeScan virtual website. When you access the OfficeScan management console, you should NOT receive a certificate error. This means the certificate has been verified.
      The lock icon should appear on the upper right corner of the browser.

      

5. Export the Private SSL certificate to be uploaded in TMMS as the Client Profile Signing Credential in the iOS settings tab.
   1. Open the IIS Manager and right-click the OfficeScan virtual website and then select Properties.
   2. Go to the Directory Security tab > Server Certificate.
   3. Select Export the current certificate to a .pfx file then click Next.

      

   4. Enter the desired location and filename.

      

   5. Provide the password and click Next until you finish the wizard.

      

6. Apply the Private SSL to an iOS device via iPhone Configuration Utility.
   1. Install the root certificate on your computer by performing the following steps:
      1. Double-click the root certificate and on the Certificate window click Install Certificate.
      2. On the welcome screen, click Next.
      3. Keep the default setting, and click Next.
      4. Click Finish to start the installation. A pop up message displays notifying that the certificate import was successful.
   2. Download and install the iPhone Configuration Utility.
   3. Create a profile for iOS mobile devices.
      1. Start the iPhone Configuration Utility and click Configuration Profiles from the Library list on the left pane. 
      2. Click New to add a new profile in the profiles list.
      3. Select the new profile that you have created, then select Credentials from the center pane.
      4. Click Configure on the Configure Credentials on the right pane. The Personal Certificate Store window appears. 

         

      1. Select the root certificate from the list and then click OK.
      2. Click General on the center pane and then on the Identity area, type the relevant information in all the text fields provided.
   4. Install the profile on the iOS mobile device.
      1. Connect the iOS mobile device to the computer where you have installed the root certificate.
      2. On the Devices list, select the iOS mobile device.
      3. On the Configuration Profiles tab, select the profile you created, and then click Install. The iPhone Configuration Utility will push the profile to the mobile device.
      4. On the mobile device, tap Install on the Install Profile screen.
      5. Tap Install Now when the Root Certificates pop message appears. The profile installation will start.
      6. After the profile is installed, tap Done on the Profile Installed screen.
7. Apply the Private SSL certificate PFX file and Apple Push Notification PFX file to the TMMS management console.
   1. Log in to the TMMS management console.
   2. Go to iOS Settings and configure the APNS field with the exported Apple Push Notification PFX File.

      

      If you are using the SCEP add-on, enter the SCEP server details.
      If not, leave the SCEP fields blank.
   3. Configure the client profile signing credential with the exported HTTPS/SSL certificate PFX file.
   4. Click Save.

Using a Public Issued CA is automatically deployed to iOS devices being enrolled. Unlike a Private SSL, the root CA is already pre-installed on iOS devices (i.e. GoDaddy, PublicSSL, Verisign, etc.).

To get and install a public SSL Certificate, do the following:

1. Generate a Certificate Signing Request (CSR).
2. Purchase a public SSL certificate from an SSL certificate provider using the CSR file you created in Step 1, and save it as a .cer file. Refer to the certificate provider's website on how to submit the CSR. The certificate provider should provide instructions on how to apply the signed certificate on a specific operating system.
3. Export the HTTPS/SSL cerficate to a PFX file.
   1. Open the IIS Manager.
   2. Right-click the Officescan virtual website and select Properties.
   3. Go to the Directory Security tab and click Security Certificate.
   4. Select Export the current certificate to a .pfx file then click Next.

      

   5. Enter the desired location and filename.

      

   6. Provide the password and click Next until you finish the wizard.
4. Apply the SSL certificate PFX file and Apple Push Notification PFX file to the TMMS management console.
   1. Log in to the TMMS management console.
   2. Go to iOS Settingsand configure the APNS field with the exported Apple Push Notification PFX File.

      

      If you are using the SCEP add-on, enter the SCEP server details.

      If not, leave the SCEP fields blank.

   3. Configure the client profile signing credential with the exported HTTPS/SSL certificate PFX file.
   4. Click Save.