Procedures for Configuring the Mobile Portal

Prerequisites:

The Configure Mobile Portal link is only available when support for mobile app certificates has been enabled. For details on enabling support for mobile app certificates, see Setting Parameters for Devices.
When using an HSM (recommended), the operator must first generate keys in the HSM for the required certificates, which can then be used to configure the mobile portal. For more details, see Procedure 1: Generating Keys and Details of Certificates Required for Mobile App Certificates Issuance.

When updating the mobile portal, it is recommended to use certificates stored in an HSM. If using software certificates, they must be of the PKCS#12 type (filename extension .pfx or .p12). These files can be uploaded from the workstation. It is not recommended to use the auto-generated certificates provided by default for deployment purposes.

Important: Prior to issuing mobile app certificates on the User Portal, the user must install the root certificates of the SCEP certificate and OTA Signing certificate on his/her mobile device and make sure that these certificates are properly trusted (enabled in the Certificate Trust Settings of the device). The CMS Server SSL certificate must also be trusted on the mobile device.
Note that the OTA Device Root certificate does not need to be installed on the user’s mobile device.
For details about mobile app certificates, see Managing Mobile App Certificates.

The following table includes a description of the certificates managed on the mobile portal as well as details such as their issuer, default location, and key usage.

Details of Certificates Required for Mobile App Certificates Issuance
Certificate	Description	Physical Location of Default Certificates	Issuer	Mobile Device	Key Usage
SCEP Certificate	Certificate used to sign and encrypt request data	%PROGRAMDATA%\HID Global\Credential Management System\Local Files\Certificates\mobileSign.pfx	CA	Certificate Authority that issued this certificate must be trusted by mobile device.	RSA (2048 bit) with sha256 Subject: CN=HOSTNAME KeyUsage: nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment Includes certificate chain
OTA Signing Certificate	Certificate used to sign and encrypt OTA profiles originating from the server	%PROGRAMDATA%\HID Global\Credential Management System\Local Files\Certificates\mobileSign.pfx	CA	Certificate Authority that issued this certificate must be trusted by mobile device.	RSA (2048 bit) with sha256 Subject: CN=HOSTNAME KeyUsage: nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment
OTA Device Root Certificate	Certificate used to generate a new device encryption certificate for the mobile device	%PROGRAMDATA%\HID Global\Credential Management System\Local Files\Certificates\mobileRoot.pfx	Self-signed CA	Certificate Authority that issued this certificate is Not required to be trusted by mobile device.	RSA (2048 bit) with sha256 CA:TRUE KeyUsage: cRLSign, keyCertSign

Note: With the Microsoft Certificate Authority, you can use the Web Server template to issue the SCEP certificate and the OTA Signing certificate.

Procedure 1: Generating Keys

Procedure 2: Updating Mobile App Certificates