Deploy certificate

Deploy certificate

Deploy certificate with Microsoft Intune?

Some company resources are accessible through a digital certificate. It’s therefore necessary for users to have a certificate to access VPN, Wifi,… These certificates prevent the use a user name and password. Intune allows you to assign and manage these certificates. Two types of certificates can be used:

  • Simple Certificate Enrollment Protocol (SCEP)
  • PKCS#12 (or PFX)


The following prerequisites are required to deploy a certificate

  • Have a certificate infrastructure
  • Installing a root or intermediate certificate
  • iOS 8.0 and later
  • macOS 10.11 and later
  • Android 4.0 and higher
  • Android Professional Profile
  • Windows 8.1 and later

Configuring the certificate infrastructure

The following operations allow the deployment of a PKCS certificate. An Active Directory infrastructure and a certification authority are required. The root certificate must also be exported.

Export the root certificate from the enterprise CA

The root or intermediate certificate must be deployed on all devices requiring a certificate. From the server with the CA role, run a command prompt. Run the command certutil -ca.cert certroot.cer

download root certificate

Install and configure Microsoft Intune Certificate Connector

From the Intune portal, click Device Configuration and then click Certification Authority.

Create Device configuration for deploy certificate

Click on Add then use the link to download the tool.

Deploy certificate with Microsoft Intune

Run the tool on the desired server and select the desired installation option.

Select pfx distribution certificate

At the end of the installation, check Launch Intune Connector and click to Finish.

Wizard importation is launched

A new Windows Appear, click into Sign In.

Connection status appear

Log in by entering the username/password of the admin account. A new message appears, indicating that the registration has been successfully completed. Click to Close.

Enter credential for proxy

Adding to Azure console is done correctly.

Certificate authority appear

Configuring certificate templates on the certification authority

Open the Certificate Authority console and right-click Certificate Templates. From the context menu, select the Manage.

Certificate authority console

Right-click the user certificate Template and from the context menu, select Duplicate Template. A window will appear.

Deploy certificate with Microsoft Intune

Under the Compatibility tab, configure the drop-down lists as below:

  • Certificate Authority: Windows Server 2008 R2
  • Certificate recipient: Windows 7 / Server 2008 R2
configure template

In the General tab, specify a Display name for the Template. Select Request Handling and check the box Allow private key to be experted.

Configure template

In Cryptography tab, verify that Minimum Key Size is 2048.

Configure template

Select the Subject Name tab and select Supply in the request.

Configure template

In Extensions tab, make sure you see Encrypting File System, Secure Email, and Client Authentication under Application Policies. Select the Security tab, add the computer account of the server where Microsoft Intune Certificate Connector is installed. Grant Read and Register permissions to this account.

Deploy certificate with Microsoft Intune

Click to OK and close Certificate Templates Console. Into the Authority console, right click on Certificate Templates and in the context menu select new / Certificate Template to Issue.

Template are available

Select the previously created Template and click ok. Certificates can now be deployed.

Deploy certificate with Microsoft Intune

Configuring Microsoft Intune

Create a device configuration

From the Intune console, click Device Configuration. In Profies, click Create Profile.

Create intune pokicy

Enter the name of the profile and select the desired platform. In Profile type, select Trusted Certificate and click to configure.

Enter information about the policy

In the certificate file, click on button to select certificate of root CA exported earlier in this article (Export the root certificate from the enterprise CA). Click to OK to import cer file.

Enter cer file of root ca

The assignment to a device group can now be performed.

Create a PKCS Certificate Profile

From the Intune console, click Device Configuration. In Profies, click Create Profile. Enter the name of the profile and select the desired platform. In Profile type, select Trusted Certificate and click to configure.

Deploy certificate with Microsoft Intune

Configure the window as below:

  • Renewal threshold (%): Indicates renewal threshold, recommended value is 20%.
  • Certificate validity period: Indicates the validity period of the certificate (to be configured according to the template).
  • Certification authority: Enter the internal FQDN of your certification authority
  • Certification authority name: Enter the name of the certification authority.
  • Certificate template name: Enter the name of the certificate Template.
Properties of the certificates
  • Subject name format and Subject alternative name
  • Subject name format:Select the desired value from the drop-down list.
  • Subject alternative name:Select User principal name(UPN).
Deploy certificate with Microsoft Intune

The profiles has been created.

Profiles has been created

The certificate has been deployed on my Ipad.

Certificate has been deployed
Deploy certificate has been deployed

1 comment

    • RM on 9 December 2020 at 0 h 41 min
    • Reply


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.