Deploy certificate with Microsoft Intune?
Some company resources are accessible through a digital certificate. It’s therefore necessary for users to have a certificate to access VPN, Wifi,… These certificates prevent the use a user name and password. Intune allows you to assign and manage these certificates. Two types of certificates can be used:
- Simple Certificate Enrollment Protocol (SCEP)
- PKCS#12 (or PFX)
The following prerequisites are required to deploy a certificate
- Have a certificate infrastructure
- Installing a root or intermediate certificate
- iOS 8.0 and later
- macOS 10.11 and later
- Android 4.0 and higher
- Android Professional Profile
- Windows 8.1 and later
Configuring the certificate infrastructure
The following operations allow the deployment of a PKCS certificate. An Active Directory infrastructure and a certification authority are required. The root certificate must also be exported.
Export the root certificate from the enterprise CA
The root or intermediate certificate must be deployed on all devices requiring a certificate. From the server with the CA role, run a command prompt. Run the command certutil -ca.cert certroot.cer
Install and configure Microsoft Intune Certificate Connector
From the Intune portal, click Device Configuration and then click Certification Authority.
Click on Add then use the link to download the tool.
Run the tool on the desired server and select the desired installation option.
At the end of the installation, check Launch Intune Connector and click to Finish.
A new Windows Appear, click into Sign In.
Log in by entering the username/password of the admin account. A new message appears, indicating that the registration has been successfully completed. Click to Close.
Adding to Azure console is done correctly.
Configuring certificate templates on the certification authority
Open the Certificate Authority console and right-click Certificate Templates. From the context menu, select the Manage.
Right-click the user certificate Template and from the context menu, select Duplicate Template. A window will appear.
Under the Compatibility tab, configure the drop-down lists as below:
- Certificate Authority: Windows Server 2008 R2
- Certificate recipient: Windows 7 / Server 2008 R2
In the General tab, specify a Display name for the Template. Select Request Handling and check the box Allow private key to be experted.
In Cryptography tab, verify that Minimum Key Size is 2048.
Select the Subject Name tab and select Supply in the request.
In Extensions tab, make sure you see Encrypting File System, Secure Email, and Client Authentication under Application Policies. Select the Security tab, add the computer account of the server where Microsoft Intune Certificate Connector is installed. Grant Read and Register permissions to this account.
Click to OK and close Certificate Templates Console. Into the Authority console, right click on Certificate Templates and in the context menu select new / Certificate Template to Issue.
Select the previously created Template and click ok. Certificates can now be deployed.
Configuring Microsoft Intune
Create a device configuration
From the Intune console, click Device Configuration. In Profies, click Create Profile.
Enter the name of the profile and select the desired platform. In Profile type, select Trusted Certificate and click to configure.
In the certificate file, click on button to select certificate of root CA exported earlier in this article (Export the root certificate from the enterprise CA). Click to OK to import cer file.
The assignment to a device group can now be performed.
Create a PKCS Certificate Profile
From the Intune console, click Device Configuration. In Profies, click Create Profile. Enter the name of the profile and select the desired platform. In Profile type, select Trusted Certificate and click to configure.
Configure the window as below:
- Renewal threshold (%): Indicates renewal threshold, recommended value is 20%.
- Certificate validity period: Indicates the validity period of the certificate (to be configured according to the template).
- Certification authority: Enter the internal FQDN of your certification authority
- Certification authority name: Enter the name of the certification authority.
- Certificate template name: Enter the name of the certificate Template.
- Subject name format and Subject alternative name
- Subject name format:Select the desired value from the drop-down list.
- Subject alternative name:Select User principal name(UPN).
The profiles has been created.
The certificate has been deployed on my Ipad.