About Identity Certificates
In 802.1X authentication, identity certificates play a crucial role in ensuring security. They are particularly significant in the EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) method. EAP-TLS uses digital certificates to authenticate both the client (supplicant) and the server (authentication server). This mutual authentication guarantees that both parties trust each other’s identity before establishing a secure connection.Configure an Identity Certificate
Certain types of authentication require or allow you to specify an identity certificate to verify the device’s identity. These certificates can come from various sources. For network authentication, make sure the identity certificates include the Client Authentication entitlement in their Extended Key Usage (EKU). Work with your network administrator to ensure the certificate service and templates are properly configured for your network. If you use Microsoft Active Directory Certificate Services, you can issue identity certificates through the AD CS integration overview. AD CS servers are added during AD CS integration configuration, and certificate requests rely on the configured AD CS computer certificate template.Obtain an identity certificate using AD CS
You can obtain identity certificates using Microsoft Active Directory Certificate Services.Enter certificate name
Enter certificate subject
$SERIAL_NUMBER.Configure subject alternative names
Add strong mapping URI when required
$ADCS_STRONG_MAPPING_ID. For full guidance, see Active Directory Strong Certificate Mapping Configuration.Set template and AD CS server
Select key size and private key options
Obtain an Identity Certificate Using SCEP
Using the Simple Certificate Enrollment Protocol (SCEP), you can obtain identity certificates.Select SCEP Certificate Type
Configure SCEP Certificate

Configure SCEP Server Details
Configure Certificate Subject
Configure Subject Alternative Names
Configure Key Settings

Configure Retry Settings
Configure Security and Access Settings
Configure Certificate Management
Import a PKCS #12 File
You can provide a single identity certificate for all configured devices by uploading a PKCS #12 formatted file. This means all devices will use the same certificate, making it harder for network administrators to identify individual devices by their login. However, it also means that if the certificate is compromised, it can be used to access the network. Revoking this certificate will block all configured devices from accessing the network.Select PKCS #12 Certificate Type
Upload certificate
Configure Access and Security Settings
Prevent private key extraction from keychain (optional)

