Hi Raymond,

MobiControl v14.1.8 will be the first version with the ability to generate Root certificate with 2048 bit key size. Any previous version can only generate certificates with 1024 bit key size.

There are two ways around this issue:

1. The DS and DSE certificate can be replaced by a commercially signed secure certificate provided your devices support the algorithm used for certificate signing. If the CA you buy this certificate from is trusted by the devices, then no extra steps will be involved to push the new DS cert to the devices. This will make the device-MobiControl server connection secure. But currently, there is no way to completely remove the MobiControl Root CA from the database and use the third party root cert for everything.

2. I am trying to get a utility that can generate MobiControl CA root certificates with minimum 2048 bit key size and inject it into the MobiControl DB to be used as the root certificate. This will address the issue on older versions in which MCADMIN does not have the functionality to generate root certificates with higher key size. Unfortunately there is no ETA I can provide at the moment about this utility but I will keep you posted.

As far as deleting the old root certificate from the devices, only a few OEMs have the API to allow our agent to delete certificates from the device store. But you can try the following script on one of your test device to see if it works as expected:

certdelete -issuer "<IssuerName>" -sn "<SerialNumber>"
-storage "<storage>"

"<IssuerName>" is the common name of the certificate issuer.

"<SerialNumber>" is serial number of the certificate the type of storage into which to import the certificate.

For example: certdelete -issuer "*.apache.org" -sn 00A03DB42A7841AFF5

Please let me know if you have any more questions.

Thanks

Your reply in (1) related to SSL certificate for DSE is well understood and many customers are already using strong SSL purchased from reputable CA.  However, I don't know whether you mistakenly also mention DS certificate in (1), as I don't know if you can buy another type of certificate for binding to DS.  Please educate me for my ignorance.

For (2), while it is always good to have more tool to help generation of self-signed certificate, I think there are already many free tools (e.g. openssl) that can be used to generate strong self-signed certificates.  The problem seems to be not related to its generation, but rather is related to how it can be imported with MCadmin.exe, how it can be deployed to the devices, and finally how the old weak certificate can be retired and removed without affecting other bind services previously under the old root certificate.   I am not sure if it is 100% theoretically impossible from a technical sense due to certificate hierarchy restrictions, or if Soti is working on a solution now.  Do you have any idea?

My gut feeling is that there must be way, either already existing or forthcoming, to solve similar problem in EMM and other domains, as security-related certificates have the never-stopping need to be strengthened every few years.

Hi Raymond,

You can use the same commercially signed certificate you have for DSE as the DS certificate as well.

When you click on 'Change' in the MCADMIN utility for the DS certificate, just change the source to Local Personal Storage and then choose Import to add the certificate as the Deployment Server Certificate. This is a major change and can result in devices disconnecting from the DS if the new certificate is not trusted by the devices.

For the second query, the point of the utility is that no additional tools will be required and existing MobiControl CA on the server can be used as it is to generate certificates with desired configurations. I am still awaiting a reply back from our development team on the technical details of such a process and will keep you posted.

Please let me know if you have any questions.

Thanks

Thanks for your clarification on the possibility of binding SSL certificate to Deployment Server.  However,  if the MobiControl root certificate can be upgraded to stronger (e.g. length-2048-bit, SHA256, etc.) certificate, I would rather, due to secure reasons, stick to the default of using this stronger MoboControl root certificate to local signing a certificate for binding to Deployment Server.  Many of my customer organizations use  wild-card SSL certificate in many of their servers/devices/applications that use port 443/https-based services. Most of these servers/device end-points are not meant to use MDM/EMM services and therefore should not  have a valid certificate chain related to Mobicontrol deployment server services deployed.

As my original question and previous answer repeatedly state that the core problem is seamless migration with eventual COMPLETE replacement of old weak 1024-bit Mobicontrol root certificate by a stronger one in existing v11-v13 implementations.  Let's not divert to sideline issues, which will not help my customers to pass their security audit if there is no practical and viable solution from Soti.

Hey Raymond,

After internal discussion and due to architectural implications the correct way to migrate to a secure 2048 bit size key certificate is to upgrade to latest MobiControl version. There are a lot of dependencies in the database to be changed while replacing a Root certificate that it is not possible to be accomplished by a program/utility. In addition to secure certificate usage, there are a lot of removed bugs and background security improvements in newer MobiControl versions.

For customers with larger deployments, its always a good idea to have a separate testing environment where any sort of upgrades or new deployments can be tested.

Please let me know if you have any questions.

Thanks

Could you please specify clearly:

1. which minimum MobiControl server version AND build number to upgrade to?

2. what step(s) to take to configure the upgrade process to replace the old 1024-bit MobiControl root certificate with a new 2048-bit  certificate, without affecting controllability and connectivity with already enrolled devices in all device platforms/modes?

Hi Raymond,

1. which minimum MobiControl server version AND build number to upgrade to?

SHA-256 certificates with 2048 bit key size can be generated starting MobiControl v14.1.8.1064

2. what step(s) to take to configure the upgrade process to replace the old 1024-bit MobiControl root certificate with a new 2048-bit  certificate, without affecting controllability and connectivity with already enrolled devices in all device platforms/modes?

You must verify that any legacy devices enrolled in your environment do support SHA256 algorithm and 2048 bit key size certificate before making these changes.

The correct process is as follows:

1. Upgrade to MobiControl v14.1.8 or above following the correct upgrade procedure

2. Once upgraded, generate a new root SHA256 certificate in the MobiControl Admin Utility with 2048 bit key size and note the time this certificate is generated

3. Wait for all the devices to check-in after the above change is made. You can run a advanced search in web console to select devices that have not checked in after the time noted in Step 2 above

4. Once all you devices have checked in, you can bind all your certificates in the MobiControl Admin utility to this new root certificate

The final step will be to confirm that all the devices checked-in at least once after changing the root certificate to 2048 bit key size and take a database backup and then remove the old 1024 bit Root certificate.

Even though the process is simple, I would still recommend contacting SOTI Tech support for this so that we can verify no other environment specific changes may be required.

A database backup should be made before making any of the above changes.

List of MobiControl version releases can be found here: https://docs.soti.net/soti-mobicontrol/release-notes/

Please let me know if you have any more questions.

Thanks

Thank you for the procedure outlined.  However, shouldn't that be at least a fifth step to remove the old length-1024 bit root certificate with MCadmin.exe  after binding all certificates for services that were previously bind with this old root certificate? 

If so, should this be done only after checking all devices have at least got checked-in once with the server after the certificate re-binding with new length-2048 bit root certificate?

Yes, the final step will be to take a database backup and remove the old 1024 bit Root certificate once it has been confirmed that all the devices checked-in at least once after changing the root certificate to 2048 bit key size.

Thanks for the info.  I'll get resources (test server, temporary license, enrolled devices of different platforms, etc.) to perform a thorough test to verify the flow.  Will come back to confirm the solution upon successful verification completion.