Certificate-based authentication security
CPS supports Certificate-based Mutual Authentication. Mutual Authentication requires that both the
server and client present a certificate to prove their identity. This allows CPS to prevent unauthorized
clients without valid certificates from connecting to CPS APIs and event notification service.
Certificate Validation
To be considered a valid certificate, a certificate must:
1. Chain to a Certificate Authority (CA) trusted by Ivanti Neurons for MDM and Ivanti EPMM. Currently,
this is DigiCert only.
2. Be otherwise valid, for example, marked as usable for client authentication, and not expired.
3. After validating a certificate as valid, Ivanti extracts the email identity of a certificate using the
SubjectAltName RFC822Name value. Ivanti enforces that only one RFC822Name value may exist in a
given certificate, and rejects a certificate if there are multiple values.
X509v3 Subject Alternative Name format: email: <name>@<domain>.com
4. After extracting the email identity from the certificate, Ivanti performs a lookup for the user and
ensures user has the CPS role for the Ivanti Neurons for MDM or Ivanti EPMM tenant.
Security of Certificate Procurement Process
The security of this system depends upon preventing unauthorized users from obtaining certificates that
are valid for authorized users. To that end, DigiCert has the following processes and protections in place:
1. When a certificate for an email address is requested, an email is sent to that email address requesting
confirmation of the certificate request. Note: it is not required that the requester has access to the
email address. This allows admins to request (and pay for) certificates on behalf of users.
2. The certificate is only generated when the email recipient clicks the confirmation link. Prior to this, the
certificate requester is prevented from seeing the certificate.
3. The certificate and private key are sent to the email address to which the certificate belongs. If the
certificate is requested by person A who does not have access to mailbox B, then A will not be able to
obtain the private key.
4. The certificate (public) is visible to the certificate requester on Digicert's website, but the private key is
not. Certificate-based Mutual Authentication works by proving that each side has possession of their
respective private key. Thus, by providing the private key only to the intended recipient and not the
requester, the system prevents attackers from gaining unauthorized access to the APIs.
Assigning the CPS role to a user
The process differs between Ivanti Neurons for MDM and Ivanti EPMM.
Copyright © 2023, Ivanti, Inc. All Rights Reserved. Privacy and Legal.
Page 15 of 108
Getting Started