We are looking at deploying mobile applications to our mobile BYOD estate. One of the ideas we're looking at is using user certificates pushed to the devices as a form of authentication in addition to the PIN the users will need to enter. The certificates would be pushed to the devices when they enroll.
We can spin up a Windows 2008 Server PKI to generate the certs. The idea is:
i. User downloads an app from our corporate app store
ii. As part of the enrollment process, they will contact a server named MobileAppSvr1 that will request a certificate on their behalf from the internal PKI.
iii. The certificate will be created which binds the public key to the username
iv. The certificate is pushed to the device via MobileAppSvr1
v. Whenever the user wishes to launch the app again, then they are requested to enter a password and MobileAppSvr1 would also check the cert hasn't been revoked for that user.
Some questions:
a) I understand the certificate is digitally signed by our CA. Does this mean the user's device has to trust the CA or MobileAppSvr1?
b) Where does the Private Key come into play here? Does any decryption need to be done at all?
c) Do we need any s/w on the mobile device to decrypt anything?
d) Would the above solution (steps i to v) work theoretically?