Certificates are digital credentials that can be used to authenticate and encrypt communication between devices and resources, such as VPN, Wi-Fi, email, and applications. Certificates can also provide a seamless and secure user experience, as they eliminate the need for entering usernames and passwords. However, managing certificates across multiple devices and platforms can be challenging and complex. That’s why Intune, a cloud-based service that helps you manage and secure your devices, offers built-in settings and tools to help you use certificates with ease and efficiency.
In this blog post, I will show you how to use certificates with Intune to secure your devices and resources, and how to configure and deploy them using device configuration profiles.
What are the types of certificates supported by Intune?
Intune supports three types of certificates and provisioning methods:
- Simple Certificate Enrollment Protocol (SCEP): SCEP is a protocol that allows devices to request and receive certificates from a Certification Authority (CA). Intune uses a SCEP certificate profile to specify the settings and policies for the certificate request, such as the subject name, the validity period, the key size, and the certificate template. Intune also uses a trusted certificate profile to deploy the trusted root CA certificate to the devices, which establishes a trust relationship between the devices and the CA. SCEP certificates are unique to each request and device, and can be used for user or device authentication.
- Public Key Cryptography Standards (PKCS): PKCS is a set of standards that define the formats and operations of cryptographic keys and certificates. Intune uses a PKCS certificate profile to specify the settings and policies for the certificate enrollment, such as the subject name, the validity period, the key size, and the certificate template. Intune also uses a trusted certificate profile to deploy the trusted root CA certificate to the devices, which establishes a trust relationship between the devices and the CA. PKCS certificates are unique to each device, and can be used for user or device authentication.
- Imported PKCS: Imported PKCS is a method that allows you to deploy the same certificate that you’ve exported from a source, like an email server, to multiple recipients. This shared certificate is useful to ensure all your users or devices can then decrypt emails that were encrypted by that certificate. Intune uses an imported PKCS certificate profile to specify the settings and policies for the certificate deployment, such as the certificate file, the password, and the certificate store. Intune also uses a trusted certificate profile to deploy the trusted root CA certificate to the devices, which establishes a trust relationship between the devices and the CA. Imported PKCS certificates are not unique to each device, and can be used for email encryption and decryption.
What are the prerequisites and steps to use certificates with Intune?
To use certificates with Intune, you need to have the following prerequisites:
- A Microsoft 365 E3 or E5 license, or an Intune license for each user or device that you want to protect.
- A Microsoft Entra ID tenant that is associated with your Microsoft 365 or Intune subscription.
- A Microsoft Entra ID global administrator account that has access to the Microsoft Entra admin center and the Intune portal.
- A Certification Authority (CA) that issues the certificates. You can use a Microsoft CA or a third-party CA.
- An on-premises infrastructure that supports the certificate types you use. For example, you may need a Network Device Enrollment Service (NDES) server for SCEP certificates, a Certificate Connector for Intune for PKCS certificates, or an email server for imported PKCS certificates.
The configuration steps are as follows:
- Export the trusted root CA certificate: To use SCEP, PKCS, and imported PKCS certificates, devices must trust your root CA. To establish trust, export the Trusted Root CA certificate, and any intermediate or issuing CA certificates, as a public certificate (.cer) file. You can get these certificates from the issuing CA, or from any device that trusts your issuing CA. You’ll use this .cer file when you create trusted certificate profiles to deploy that certificate to your devices.
- Create and deploy a trusted certificate profile: Create and deploy a trusted certificate profile before you create a SCEP, PKCS, or imported PKCS certificate profile. Deploying a trusted certificate profile to the same groups that receive the other certificate profile types ensures that each device can recognize the legitimacy of your CA. This includes profiles like those for VPN, Wi-Fi, and email. SCEP certificate profiles directly reference a trusted certificate profile. PKCS and imported PKCS certificate profiles don’t directly reference the trusted certificate profile but do use it on the device. Deploying a trusted certificate profile to devices ensures this trust is established. When a device doesn’t trust the root CA, the SCEP or PKCS certificate profile policy will fail. Create a separate trusted certificate profile for each device platform you want to support, just as you’ll do for SCEP, PKCS, and imported PKCS certificate profiles.
- Create and deploy a SCEP, PKCS, or imported PKCS certificate profile: Create and deploy a certificate profile for the certificate type and provisioning method you want to use. You can specify the settings and policies for the certificate, such as the subject name, the validity period, the key size, the certificate template, the certificate file, the password, and the certificate store. You can also assign the certificate profile to the same groups that receive the trusted certificate profile. Create a separate certificate profile for each device platform you want to support, just as you’ll do for the trusted certificate profile.
- Monitor and troubleshoot the certificate deployment: After deploying the certificate profiles, you can monitor and troubleshoot the certificate deployment by checking the device configuration status and logs in the Intune portal. You can also view the certificate details and properties on the devices.
Conclusion
Certificates are a powerful and convenient way to secure your devices and resources with Intune. They provide authenticated and encrypted access to your corporate resources, such as VPN, Wi-Fi, email, and applications. They also provide a seamless and secure user experience, as they eliminate the need for entering usernames and passwords. To use certificates with Intune, you need to have the appropriate licenses and roles, and follow the steps to export, create, and deploy the trusted and certificate profiles.
