Skip to main content

Intune trusted certificate profile

The goal of this procedure is to provide the entire CA certificate chain to the targeted device platform(s).

When creating a certificate profile in DigiCert​​®​​ Trust Lifecycle Manager, you will configure the issuing certificate authority (CA) that issues the end-entity (EE) certificate to your target device or user.

In addition to configuring the Intune device configuration profile for the SCEP certificate type, you will need to create one or more trusted certificate profiles in Intune for each certificate in the CA hierarchy that you are using.

If you use a root issuing CA, then you will only need to create a trusted certificate profile for that root CA. If you have a multi-tier CA hierarchy, then you will also create a trusted certificate profile for each intermediate CA in the certificate hierarchy. Common CA hierarchies consist of a root CA and a subordinate intermediate issuing CA.

Download the CA certificates from DigiCert ONE

Download the certificate file(s) for your issuing CA from DigiCert® Private CA. The steps depend on whether you have both a root CA and subordinate intermediate issuing CA, or only a root CA.

Create the trusted certificate profile in Intune

  1. In Microsoft Endpoint Manager admin center, select Devices > Manage devices > Configuration.

  2. In the Policies tab, select Create > New Policy.

  3. Configure the desired platform of the devices that will receive the profile and select Trusted Certificate from the dropdown or from the templates list. For detailed steps refer to Create trusted certificate profiles in Microsoft Intune | Microsoft Docs.

    Note

    When configuring the Destination store for Windows platform devices, select Computer certitificate store - Root for the root CA certificate and Computer certificate store - Intermediate for the intermediate/issuer CA certificate.