Complete Process-Flow for Managing Certificates within the AirWatch Software Development Kit (SDK)
This article describes the lifecycle of Application Certificates used in AirWatch Software Development Kit (SDK)-enabled applications. AirWatch integrates with a Certificate Authority (CA) system to manage the generation, revocation and renewal of certificates. The AirWatch SDK distributes and delivers certificates securely to an application. There are four phases in the lifecycle of an application certificate within AirWatch.
In This Article
- Generation of an InstallProfile command – Generate this command to describe the intent to provision an application profile to an application.
- Generation and provisioning of the application certificate – Generate the certificate on-the-fly and then transmit it securely to the application when the application indicates it is ready to receive an application profile associated to a certificate.
- Retrieving certificate list sample from the application – Send a list of all actively used certificates from the application to AirWatch.
- Certificate revocation and renewal – Remove and renew certificate automatically when certain events occur in the SDK-enabled application or in the AirWatch Admin Console.
In order to use certificates in an application, meet the following conditions:
- The application needs to integrate with the AirWatch iOS SDK v3.0 or later.
- A Certificate Authority must be configured in AirWatch.
- An application profile must be created and subsequently associated to the CA.
- The application must be uploaded to the AirWatch Admin Console and configured with the application profile.
- The device in which the application runs needs to be enrolled to receive the certificates.
- AirWatch Software Development Kit Technical Implementation Guide for iOS
- Mobile Application Management (MAM) Guide
Generation of InstallProfile Commands in the Command Queue
Certain events trigger the generation of an InstallProfile command for a given application/device pairing. This command contains all the configuration settings specifying which Certificate Authority to use when the certificate is generated.
1. An Event Begins the Application Certificate Lifecycle
- AirWatch sends the command to install an application on a device.
- An application is redeployed explicitly from the AirWatch Admin Console.
- An application is manually downloaded by a user from the App Catalog.
- An application profile is associated to an application.
- An application profile is updated (saved).
2. AirWatch Creates an InstallProfile command in the Command Queue with the Application Profile
The AirWatch system creates an InstallProfile command for the application profile associated to the given application. This application profile may contain references to the Certificate Authority, but no certificate has been created at this point. The InstallProfile command targets a specific device and specific application and can only be consumed by that unique application/device pairing. The InstallProfile command does not contain a certificate at this point and no certificates have been generated yet.
Generation and Provisioning of Certificates
The SDK-enabled application polls commands in the Command Queue and triggers the generation of a new certificate which is delivered to the application to be consumed.
1. The SDK-based Application Checks for Commands
The application uses the SDK to poll for any commands that may be available. The AirWatch Admin Console identifies there is an InstallProfile command in the Command Queue containing an application profile with a reference to a Certificate Authority for the particular application/device pairing that submitted the request. The request is encrypted and authenticated using Secure Channel.
2. The Certificate is Generated
AirWatch connects to the Certificate Authority to generate the certificate.
3. The Certificate is Embedded into the Application Profile and a Record is Stored in the Database
AirWatch merges the certificate into the application profile in memory before delivering the InstallProfile command. AirWatch stores the “thumbprint” of the certificate and the public key into the database to keep a record of all the certificates created for a specific application/device pairing.
4. The Certificate is sent to the Application
As part of the response to the request from the application, the InstallProfile command containing an application profile with the binary representation of the certificate is delivered to the application. The payload of this message is encrypted using Secure Channel.
5. The SDK notifies the Host Application and Passes the Certificate
Once the SDK receives the payload with the command, it notifies the application containing the certificate. The application receives the certificate and uses it or stores it internally. The SDK does not track or retain any information related to the certificate delivered.
Retrieval of Certificate List Samples
The AirWatch Admin Console requests the list of all active certificates an application is currently using. This list is used to track which certificates were created for an application and which are active.
Note: Application Certificate Reporting has been implemented into the AirWatch SDK as of AirWatch v6.4.
1. AirWatch Requests Certificate List Sample of Active Certificates
AirWatch periodically requests a sample of the active certificates in the application.
2. The SDK Requests the Application Provide the List of Active Certificates
The SDK sends a notification to the application to self-report the list of active certificates. The application should respond with a valid list of all certificates. An empty list is valid.
3. The SDK Reports the Certificate List Sample to AirWatch
The SDK passes the list of certificates received from the application to the AirWatch Admin Console. If the application does not respond to this request, the AirWatch Admin Console receives notification from the SDK that an invalid response was received.
4. The AirWatch Admin Console Updates the Certificate List Sample
AirWatch stores the list of certificates in the database where it saves all self-reported, active certificates by application and device.
Revocation and Renewal of a Certificate
Certain events trigger the revocation and renewal of certificates.
1. An Event Triggers Certificate Revocation or Renewal
The following events trigger the revocation or renewal of an Application Certificate:
- An application is removed from a device.
- A device record is removed from AirWatch.
- A device is un-enrolled from AirWatch.
- There is a discrepancy between the Certificate Sample and AirWatch-delivered certificates.
2. AirWatch Checks for Certificates to be Removed or Revoked
AirWatch identifies the need to revoke or renew certificates based on the following rules:
- When a device is removed or un-enrolled, all certificates associated to all applications on the device are revoked.
- When an application is removed, all certificates associated to that application are removed.
- When the list of delivered certificates does not match the list of the current certificates on an application/device pairing, the inactive certificates are revoked.
- Certificates approaching their expiration date are renewed and the old certificates are revoked.
After determining which action to take, AirWatch initiates the actual process of certificate renewal and revocation.