Authentication certificates play several important roles in Symantec Mobility: Suite. For managing iOS devices, iOS apps, and iOS notifications, a series of certificates are required to establish chains of trust between Apple, iOS devices, iOS apps, and Mobility Suite. Services such as Exchange ActiveSync, VPN, and Wi-Fi use certificates to establish chains of trust between iOS mobile devices and secure network infrastructure.
Certificates, ID's, and profiles for iOS apps and MDM
The certificates you need to manage iOS devices in Mobility Suite are a combination of certificates you obtain from a Certificate Authority (CA) and Apple. To take full advantage of Mobility Suite's Mobile Device Management (MDM) capabilities for iOS devices, and iOS app wrapping, you need the full complement of iOS certificates, an App ID, and a Mobile Provisioning Profile.
Authentication certificates for secure network services
There are two options for managing the certificates that secure EAS, VPN, and WiFi. You can manage them yourself, or you can use a managed public key provider ("MPKI", for Managed Public Key Infrastructure). An MPKI provider handles the functions of Certificate Authority, repository, distributor, and certificate auditor for you. Mobility Suite is currently integrated with Symantec's Managed PKI service. Users with a Symantec Managed PKI account can set up Mobility Suite device policies to request certificates from the CA, as needed (called dynamic certificates).
Authentication certificate for two-factor authentication
Certificates that are used for two-factor authentication also appear on the Settings > Certificates > Authentication certificates page.
If you are a SaaS tenant, an authentication certificate is created for you when you request two-factor authentication setup. Symantec Mobility renews this certificate before expiration. So there's no requirement for you to obtain and upload a new certificate when the current one expires.
If you are an on-premises tenant, you must have a valid certificate to request and use two-factor authentication. The file must be in .p12 file format. You can use a certificate that a certificate authority (CA) issues or a self-signed certificate that your server issues.
Before certificate expiration, you must re-register two-factor authentication and upload a new certificate. Otherwise, two-factor authentication is automatically disabled when the certificate expires. Setting up two-factor authentication can take several days. So as a best practice, you should enable the Certificate Expiration notification email setting to remind you in sufficient time to re-register.