Skip to main content

Device authentication

Device certificates contain identity information commonly needed for computer (client) to server, server to server, and device to server authentication. This type of certificate is issued from DigiCert​​®​​ Trust Lifecycle Manager using the Device Authentication for Microsoft Intune (SCEP) certificate profile template, which consumes Device seats from your account.

The following is an example of a typical certificate configuration. It may not meet your specific application requirements.

You should configure the profiles to meet the technical x.509 certificate profile requirements of your 3rd-party application, as well as abiding by any other IT practices, conventions, and certificate policies for your organization.

Create certificate profile in Trust Lifecycle Manager

Follow these steps to launch and work through the certificate profile creation wizard in DigiCert​​®​​ Trust Lifecycle Manager. Select Next to progress through the wizard screens and make selections specific to your organization's Intune certificate issuance needs.

  1. In Trust Lifecycle Manager, select Policies > Certificate profiles from the left navigation menu, then select the button to Create profile from template.

  2. Select either the Device authentication for Microsoft Intune (SCEP) or User client authentication for Microsoft Intune (SCEP) template as the basis for creating the new profile, depending on your certificate type requirement.

  3. Under Primary options, enter a Profile name and select a Business unit and Issuing CA from the dropdown lists.

  4. Under Authentication method, select the Microsoft Intune connector for the Intune tenant that will request certificates from this profile.

  5. Under Certificate fields, specify the certificate validity period and units (under Certificate expires in), Algorithm, and Key size for the profile. The SCEP protocol only supports the RSA key type.

  6. Under Flow options, specify whether the profile allows for certificate validity periods to be overridden by API requests, and whether the profile allows for duplicate certificates, by checking the relative checkboxes.

  7. Under Renewal options, select a Renewal window duration, either from the default values in the dropdown list, or by selecting Custom and specifying a value between 1 and 90 days.

  8. Under Subject DN and SAN fields, select the certificate subject fields you require from the dropdown list and specify the source for each field’s value (SCEP request or Fixed value).

  9. Under Extensions, select the required Key usage (KU) and Extended key usage (EKU) values for the certificate profile. Note that KU extension criticality defaults to True and EKU extension criticality defaults to False, but the criticality for each can be changed by selecting the relevant radio button.

  10. On the Additional options screen, the Certificate delivery format is preselected as X.509 PEM for SCEP certificate profiles. Make additional selections as needed.

  11. Under Advanced settings, select the certificate field to be bound to your Seat ID (Seat ID mapping). Under SCEP options, make selections if needed to change the default Encryption algorithm and SCEP standard.

  12. Select Create to save the new certificate profile with your configured settings.

    A popup opens with the corresponding SCEP Server URL for this certificate profile. Copy and save it somewhere safe. You will need it when configuring device configuration profiles in Intune.

In diesem Abschnitt: