Skip to main content

Intune trusted certificate profile

The goal of this procedure is to provide the entire CA certificate chain to the targeted device platform(s).

When creating a certificate profile in DigiCert​​®​​ Trust Lifecycle Manager, you will configure the issuing certificate authority (CA) that issues the end-entity (EE) certificate to your target device or user.

In addition to configuring the Intune device configuration profile for the SCEP certificate type, you will need to create one or more trusted certificate profiles in Intune for each certificate in the CA hierarchy that you are using.

If you use a root issuing CA, then you will only need to create a trusted certificate profile for that root CA. If you have a multi-tier CA hierarchy, then you will also create a trusted certificate profile for each intermediate CA in the certificate hierarchy. Common CA hierarchies consist of a root CA and a subordinate intermediate issuing CA.

Download the CA certificates

Download the certificate file(s) for your issuing CA from DigiCert® CA Manager. The steps depend on whether you have both a root CA and subordinate intermediate issuing CA, or only a root CA.

Intermediate/Root CA hierarchy

  1. Open the managers menu on the top-right of the screen and select CA to switch to CA Manager.

  2. In the CA Manager menu, select Intermediates to view your intermediate issuing CAs.

  3. Find the CA you will use to issue Intune SCEP certificates from Trust Lifecycle Manager, open the actions menu next to the CA name, and select the option to Download certificate .cer.

  4. Note the Parent CA name for your issuing CA, then select Roots in the CA Manager menu to view your root CAs.

  5. Find the root CA for your intermediate issuing CA, open the actions menu next to the root CA name, and select the option to Download certificate .cer.

Root CA only

  1. Open the managers menu on the top-right of the screen and select CA to switch to CA Manager.

  2. In the CA Manager menu, select Roots to view your root issuing CAs.

  3. Find the CA you will use to issue Intune SCEP certificates from Trust Lifecycle Manager, open the actions menu next to the CA name, and select the option to Download certificate .cer.

Create the trusted certificate profile in Intune

  1. In Microsoft Endpoint Manager admin center, select Devices > Manage devices > Configuration.

  2. In the Policies tab, select Create > New Policy.

  3. Configure the desired platform of the devices that will receive the profile and select Trusted Certificate from the dropdown or from the templates list. For detailed steps refer to Create trusted certificate profiles in Microsoft Intune | Microsoft Docs.

    Note

    When configuring the Destination store for Windows platform devices, select Computer certitificate store - Root for the root CA certificate and Computer certificate store - Intermediate for the intermediate/issuer CA certificate.