MobileIron - Enterprise Subordinate Certificate Authority

MobileIron uses certs for almost everything and one thing that I like to do is sign MobileIron cores Local CA with an intermediate certificate from our Windows root CA.

To make the csr I am going to be using openSSL on windows

The command you want to run is this
"openssl req –new –out ServiceName.csr –newkey rsa:2048 –nodes –sha256 –keyout ServiceName.key.temp –config YourCFGFile.cfg"   With this request file, changed for your needs in notepad

[req] distinguishedname = reqdistinguishedname
extensions = v3req
prompt = no
distinguishedname] C = AU
L = Canberra
CN =
req] keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:name, DNS:name.domain, IP:

Save the file as a .cfg

openssl req -new -out core.csr -newkey rsa:2048 -nodes -sha256 -keyout core.key -config core.cfg

Go to your Microsoft Active Directory Certificate Services most of the time is will be your CA server /certsrv/

Click on Request a cert


Past in a copy of your csr made before with openssl into the request box

Download the Base 64 encoded cert chain, this will download a .p7b file that will have your root CA and the new cert

Open this file and export the certs into Base 64 keeping with the name chain for giving them to core later

You should now have all of the certs that where part of the chain, now make a new file coping in the key > cert > root ca

Now import the cert, log into the mifs portal and go to Local CA under Services, click add and Intermediate Enterprise CA

Give the cert a name and upload the cert

In part 2 I will go into using this new Cert on your sentry and pushing it out to devices.

Daniel Berry

Read more posts by this author.