Netskope Help

Upload and Enroll Certificates

To upload and enroll certificates for MobileIron on-demand and per-app VPN:

  1. To upload the Local CA certificate, open the MobileIron Core UI and go to Services > Local CA > Add > Intermediate Enterprise CA.

  2. Upload the CA certificate with the key in PFX format. Use either your own CA cert with key, or create a self-signed certificate in MobileIron (Services > Local CA > Add > Generate Self-Signed Certificate). Browse to and select the certificate file, enter a Local CA Name, and then click Upload Certificate.


    This Certificate has Root CA and Intermediate certificate in PFX format, and it is used by SCEP to issue end-user certificates at VPN Configuration setup while installing the profile on to the user's device. A Certificate Authority (CA) issues the end-user certificates.

  3. To upload the Root certificate, go to Policies & Configs > Add New > Certificates. In the New Certificate Setting window, enter the certificate name and description, browse to and select the certificate file.


    While uploading a certificate, leave the Password and Confirm Password options empty. And if using the Netskope provided Root certificate, the file name is rootcaCert.pem.

    When finished, click Save.

  4. To upload the Intermediate CA certificate, repeat step 3. If using the Netskope provided Intermediate certificate, the file name is caCert.pem.

  5. To configure the local certificate enrollment, go to Policies & Configs > Add New > Certificate Enrollment > Local.

  6. Enter these parameters:

    • Name: Enter your Local Certificate Enrollment profile name. This is the VPN MobileIron configuration name.

    • Certificate Type: Select User Certificate.

    • Local CAs: Select the certificate that you uploaded in step 1 above.

    • Subject: Enter the following code string in this format:

      emailAddress=$EMAIL$,CN=$EMAIL$,OU=<Tenant OU>,O=<Organization Name>,L=<Location>,ST=<State>,C=<Country>

      Use the OU and O values from the Certificate Setup dialog box in the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution).


      Location (L), State (ST), and country (C) must be unique for your CA.

    • Subject Common Name: Optional. To use, select from the dropdown list.

    • Key Usage: Optional. Choose to enable or disable.

    • Key Size: 2048

    • CSR Signing Algorithm: SHA1


      Leave the remaining parameters unchanged.

  7. Click Save.