Configure and manage certificates on client devices
Certificates are commonly used to provide for device authentication. It’s important that you know how to configure and manage certificates on your client devices.
Typically, in an on-premises environment, your organization will deploy the Active Directory Certificate Services (AD CS) role. This role provides the ability to deploy, manage, and provide revocation for digital certificates in your organization. You can also use Group Policy Objects (GPOs) to configure auto-enrollment of appropriate certificates to your users and their devices.
However, in a cloud-based scenario, your users won’t automatically trust certificates issued by your internal certification authority (CA). In addition, because the users’ devices are not AD DS domain-joined, you can’t use GPOs to enable auto-enrollment.
Using Windows Configuration Designer to deploy certificates
Windows Configuration Designer is part of Windows ADK. To use Windows Configuration Designer to deploy certificates, use the following procedure:
- Open Windows Configuration Designer and select the Advanced provisioning tile.
- In the New project wizard, on the Enter project details page, enter a Name and Description, and then select Next.
- On the Choose which settings to view and configure page, select All Windows desktop editions, and then select Next.
- Skip the Import a provisioning package (optional) page by selecting Finish.
- On the Available customizations page, expand Runtime settings and locate the Certificates node.
- You can then configure CA certificates, client certificates, root certificates, trusted people certificates, and trusted provisioners. For example, to deploy a root certificate, select the RootCertificate folder.
- Enter the root certificate name and select Add.
- Select the CertificatePath folder, and browse and select the root certificate you want to deploy.
Add any additional certificates you want to deploy in this package, and then you’re ready to export and distribute the package. The procedure for exporting and distributing provisioning packages was described earlier in this chapter.
Using Intune to deploy certificates
You can use Intune to deploy certificates to your devices. Use the following procedure:
- Open the Microsoft Endpoint Manager admin center and sign in as a global administrator.
- Navigate to Devices, and select Configuration profiles.
- Select Create profile.
- On the Create a profile blade, in the Platform list, select Windows 10 and later.
- In the Profile type list, select Templates, and then select from the following certificate options:
- PKCS certificate
- PKCS imported certificate
- SCEP certificate
- Trusted certificate
- For example, select Trusted certificate and then select Create.
- On the Trusted certificate page, on the Basics tab, enter a Name and Description, and then select Next.
- On the Configuration settings page, browse and select the certificate file.
- In the Destination store list, verify the store is Computer certificate store – Root and then select Next.
- On the Assignments tab, add the appropriate groups and then select Next.
- Optionally, on the Applicability Rules tab, define any rules for filtering the application of the profile, and then select Next.
- On the Review + create tab, select Create.
In both these examples, you’ve learned how to distribute a root certificate to your users’ devices. This will mean that the devices will trust certificates issued by the authority (the CA) defined in the root certificate. So, for example, if a user now opened a web browser and connected to an internal web server using https, if the SSL certificate used by that web server was issued by the internal CA, the connecting client devices would trust that certificate.