Skip to main content

User client authentication

DigiCert certificate profile

See Create certificate profile in Trust Lifecycle Manager.

Microsoft device configuration profile

Follow these steps to create a device configuration profile in Microsoft Intune to get certificates from a specific certificate profile in DigiCert​​®​​ Trust Lifecycle Manager.

  1. In Microsoft Endpoint Manager admin center, select  Devices > Manage devices > Configuration > Create.

  2. Configure the desired platform of the devices that will receive the profile and select SCEP Certificate from the drop-down or from the Templates list.

  3. For Configuration Settings, configure settings and values to match your corresponding DigiCert certificate profile in Trust Lifecycle Manager.

Setting

Comments

Certificate type: User

Corresponds to the DigiCert profile type and Device Seat type.

Depending on the platform OS behavior, this determines the storage location of the key/certificate on the target device.

Subject name format

Include attributes and values that are sourced from the SCEP request by the Trust Lifecycle Manager certificate profile.

Subject alternative name

Include attributes and values that are sourced from the SCEP request by the Trust Lifecycle Manager certificate profile.

Certificate validity period

Match with the Trust Lifecycle Manager certificate profile configuration.

Key storage provider (KSP)

Only determines the target platform behavior.

Key usage

The certificate issued by DigiCert will contain the Key usage (typically, Digital Signature and Key Encipherment) as set in the Trust Lifecycle Manager certificate profile regardless of the Microsoft configuration setting.

However, this setting may also influence how the target device OS enforces key flag settings and usages on that device and therefore it is recommended that the setting match the intended purpose in the Trust Lifecycle Manager certificate profile configuration.

Key size

Match with the Trust Lifecycle Manager certificate profile configuration.

Hash algorithm

Select the strongest level of security that the connecting devices support.

Root certificate

The CA certificate that issues the end-entity certificate, as configured in the Trust Lifecycle Manager certificate profile.

If you are using a multi-tier CA certificate hierarchy, select the issuing CA certificate file here. Make sure you have Intune trusted certificate profiles in place for both the root CA and issuing/intermediate CA(s).

Extended key usage

The certificate issued by DigiCert will contain the Extended key usage as set in the DigiCert Certificate Profile regardless of Microsoft configuration setting.

However, this setting may also influence how the target platform OS enforces key flags settings and usages on that device and therefore it is recommended that the setting match the intended purpose in the DigiCert Certificate Profile configuration.

Renewal threshold (%)

This value should be tuned to match the Renewal enrollment setting in the DigiCert certificate profile.

SCEP Server URL

For proper formatting refer to the table of SCEP URL formats.

image33.png