User client authentication
DigiCert certificate profile
Microsoft device configuration profile
Follow these steps to create a device configuration profile in Microsoft Intune to get certificates from a specific certificate profile in DigiCert® Trust Lifecycle Manager.
In Microsoft Endpoint Manager admin center, select Devices > Manage devices > Configuration > Create.
Configure the desired platform of the devices that will receive the profile and select SCEP Certificate from the drop-down or from the Templates list.
For Configuration Settings, configure settings and values to match your corresponding DigiCert certificate profile in Trust Lifecycle Manager.
Setting | Comments |
---|---|
Certificate type: User | Corresponds to the DigiCert profile type and Device Seat type. Depending on the platform OS behavior, this determines the storage location of the key/certificate on the target device. |
Subject name format | Include attributes and values that are sourced from the SCEP request by the Trust Lifecycle Manager certificate profile. |
Subject alternative name | Include attributes and values that are sourced from the SCEP request by the Trust Lifecycle Manager certificate profile. |
Certificate validity period | Match with the Trust Lifecycle Manager certificate profile configuration. |
Key storage provider (KSP) | Only determines the target platform behavior. |
Key usage | The certificate issued by DigiCert will contain the Key usage (typically, Digital Signature and Key Encipherment) as set in the Trust Lifecycle Manager certificate profile regardless of the Microsoft configuration setting. However, this setting may also influence how the target device OS enforces key flag settings and usages on that device and therefore it is recommended that the setting match the intended purpose in the Trust Lifecycle Manager certificate profile configuration. |
Key size | Match with the Trust Lifecycle Manager certificate profile configuration. |
Hash algorithm | Select the strongest level of security that the connecting devices support. |
Root certificate | The CA certificate that issues the end-entity certificate, as configured in the Trust Lifecycle Manager certificate profile. If you are using a multi-tier CA certificate hierarchy, select the issuing CA certificate file here. Make sure you have Intune trusted certificate profiles in place for both the root CA and issuing/intermediate CA(s). |
Extended key usage | The certificate issued by DigiCert will contain the Extended key usage as set in the DigiCert Certificate Profile regardless of Microsoft configuration setting. However, this setting may also influence how the target platform OS enforces key flags settings and usages on that device and therefore it is recommended that the setting match the intended purpose in the DigiCert Certificate Profile configuration. |
Renewal threshold (%) | This value should be tuned to match the Renewal enrollment setting in the DigiCert certificate profile. |
SCEP Server URL | For proper formatting refer to the table of SCEP URL formats. |