How to Create and Deploy PFX Certificate Profiles in Intune Standalone
~ Karan Rustagi
I get this a lot from customers who would like to push certificates to mobile devices to work with Resource Access Profiles, S/MIME etc. but can’t have an on-premises Internet facing server that runs Network Device Enrolment Service. If you are facing the same challenge, Intune has a less known feature called PKCS #12 (PFX) based certificate deployment that can be used in this scenario. In the previous releases, it needed an Administrator to supply a .PFX file which would then be deployed to device but this has now changed in standalone Intune. You no longer need to supply a .PFX file. Intune with the help of Intune Certificate Connector will get a certificate issued from Certificate Authority for User which will then be pushed to device. There is no need to setup NDES.
Administrator creates and deploys a PKCS #12 (.PFX) certificate profile to user.
Step 1: Intune service connects to on-premise Intune Certificate Connector
Step 2: On-premise Intune Certificate Connector connects to on-premise CA to get a certificate issued
Step 3: After certificate is issued, it is uploaded to Intune service via connector
Step 4: Certificate is pushed to device
Configure your infrastructure
Before you can configure certificate profiles you must complete the following tasks. In the example discussed below, we will deploy PFX profile to a Windows Phone 10 device.
Task 1 - Configure certificate templates on the certification authority
Task 2 - Enable, install, and configure the Intune Certificate Connector
Task 3 – Create and deploy a Trusted Root CA certificate Profile and a PKCS #12 (.PFX) profile
Task 1 - Configure certificate templates on the certification authority
1. On the issuing CA, use the Certificate Templates snap-in to create a new custom template or copy an existing template and then edit an existing template (like the User template), for use with PFX deployment.
The template must have the following configurations:
a. Specify a friendly Template display name for the template.
b. On the Subject Name tab, select Supply in the request.
c. On the Extensions tab, ensure the Description of Application Policies includes Client Authentication or any other usage you require.
Note: Allow private key to be exported needs to be ticked under Request Handling for PFX deployment to work.
2. Review the Validity period on the General tab of the template. By default, Intune uses the value configured in the template. However, you have the option to configure the CA to allow the requester to specify a different value, which you can then set from within the Intune Administrator console. If you want to always use the value in the template, skip the remainder of this step.
To configure the CA to allow the requester to specify the validity period, on the CA run the following commands:
a. certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
b. net stop certsvc
c. net start certsvc
3. On the issuing CA, use the Certification Authority snap-in to publish the certificate template.
a. Select the Certificate Templates node, click Action-> New > Certificate Template to Issue, and then select the template you created in step 1.
b. Validate that the template published by viewing it under the Certificate Templates folder.
4. On the CA computer ensure that the computer that hosts the Intune Certificate Connector has enroll permission, so that it can access the template used in creating the .PFX profile. Set that permission on the Security tab of the CA computer properties.
Note: To revoke certificates the Service Account needs Issue and Manage Certificates rights for each certificate template used by a certificate profile.
Task 2 - Enable, install, and configure the Intune Certificate Connector
5. Enable support for the Certificate Connector:
a. Open the Intune administration console, click Admin > Certificate Connector.
b. Click Configure On-Premises Certificate Connector.
c. Select Enable Certificate Connector, and then click OK.
6. Download, install and configure the Certificate Connector.
a. Open the Intune administration console, and then click Admin > Mobile Device Management > Certificate Connector > Download Certificate Connector.
b. After the download completes, run the downloaded installer (ndesconnectorssetup.exe). For .PFX certificates, run the installer on the computer that is able to connect with the Certification Authority. Choose the .PFX Distribution option then click Install and configure rest of settings in wizard.
7. Open a command prompt and type services.msc, and then press Enter, right-click the Intune Connector Service, and then click Restart.
Task 3 – Create and deploy a Trusted Root CA certificate Profile and a PKCS #12 (.PFX) profile
8. Export the Trusted Root CA certificate as a .cer file from the issuing CA, or any device that trusts your issuing CA. You do not export the private key. You will import this certificate when you configure a Trusted CA certificate profile.
Please note this step is optional for PFX itself but needed for e2e scenario to work if you need the cert to be trusted on your client
9. Create a trusted certificate profile:
a. Open the Intune administration console, and click Policy > Configuration Policies > Add.
b. Configure following policy type:
Windows > Trusted Certificate Profile (Windows Phone 8.1 and later)
10. Provide the requested information to configure the trusted certificate profile. In the Certificate file setting, import the Trusted Root CA certificate ( .cer) that you exported from your issuing CA in Step 8.
11. When you are finished, click Save Policy and Deploy.
12. Create a .PFX certificate profile:
a. Open the Intune administration console, click Policy > Configuration Policies > Add.
b. Configure following policy type:
Windows > PKCS #12 (.PFX) Certificate Profile (Windows 10 Desktop and Mobile and later)
13. Provide the information requested on the policy form.
Note:
a. Certification authority - Specify internal FQDN of Certificate Authority server. Eg: Server1.domain.local
b. Certification authority name - Specify certificate authority name as displayed in certification authority MMC. Look under Certification Authority(Local)
14. When you are finished, click Save Policy and Deploy.
PKCS #12 (.PFX) Certificate Profiles are currently supported on Windows 10 Desktop and Mobile and Android only. Future service update will add support for iOS.
Note: PKCS #12 (.PFX) Certificate Profiles are now supported on iOS
Date - 29/04/2016