> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iru.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Using Identity Certificates for 802.1X Authentication

> Deploy identity certificates for 802.1X network authentication using Iru Endpoint. Configure SCEP, certificate authorities, and Wi-Fi or Ethernet profiles.

<Callout icon="apple" color="#B84A7A" iconType="regular">This guide applies to Mac computers</Callout>

### About Identity Certificates

In 802.1X authentication, identity certificates play a crucial role in ensuring security. They are particularly significant in the EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) method. EAP-TLS uses digital certificates to authenticate both the client (supplicant) and the server (authentication server). This mutual authentication guarantees that both parties trust each other's identity before establishing a secure connection.

<Note>
  Identity certificates can be used in both the [Wi-Fi Library Item](/en/endpoint/library/library-items-profiles/configure-the-wi-fi-library-item) and [Ethernet Library Item](/en/endpoint/library/library-items-profiles/configure-the-ethernet-library-item).
</Note>

### Configure an Identity Certificate

Certain types of authentication require or allow you to specify an identity certificate to verify the device’s identity. These certificates can come from various sources. For network authentication, make sure the identity certificates include the Client Authentication entitlement in their Extended Key Usage (EKU). Work with your network administrator to ensure the certificate service and templates are properly configured for your network.

If you use Microsoft Active Directory Certificate Services, you can issue identity certificates through the [AD CS integration overview](/en/endpoint/integrations/certificate-services/active-directory-certificate-services/active-directory-certificate-services-ad-cs-integration-overview). AD CS servers are added during [AD CS integration configuration](/en/endpoint/integrations/certificate-services/active-directory-certificate-services/active-directory-certificate-services-ad-cs-integration-configure-the-integration), and certificate requests rely on the configured [AD CS computer certificate template](/en/endpoint/integrations/certificate-services/active-directory-certificate-services/active-directory-certificate-services-ad-cs-integration-create-a-computer-certificate-template).

### Obtain an identity certificate using AD CS

You can obtain identity certificates using Microsoft Active Directory Certificate Services.

<Note>
  To deploy AD CS certificates, the [AD CS integration](/en/endpoint/integrations/certificate-services/active-directory-certificate-services/active-directory-certificate-services-ad-cs-integration-overview) must be configured first.
</Note>

<Steps>
  <Step title="Select AD CS identity source">
    For **Identity certificate**, choose **AD CS Certificate**.
  </Step>

  <Step title="Open AD CS configuration">
    Click **Configure AD CS Certificate** to open the AD CS configuration drawer.
  </Step>

  <Step title="Enter certificate name">
    Enter a **Certificate name**. This appears on the configuration profile in System Settings.
  </Step>

  <Step title="Enter certificate subject">
    Enter a **Certificate subject**. This usually identifies the device within the certificate authority. You can use a static value or a global variable such as `$SERIAL_NUMBER`.
  </Step>

  <Step title="Configure subject alternative names">
    Add any required **Subject Alternative Names (SANs)** to send in the certificate request.
  </Step>

  <Step title="Add strong mapping URI when required">
    To support strong certificate mapping requirements from Windows update [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16), add this URI SAN value: `$ADCS_STRONG_MAPPING_ID`. For full guidance, see [Active Directory Strong Certificate Mapping Configuration](/en/endpoint/integrations/certificate-services/active-directory-certificate-services/active-directory-certificate-services-ad-cs-strong-mapping-configuration).
  </Step>

  <Step title="Set template and AD CS server">
    Enter the **Template name** for the AD CS computer certificate template used to generate AD CS certificates, then select an **AD CS server** from the dropdown.
  </Step>

  <Step title="Select key size and private key options">
    Select a **Key size**. Optionally choose **Allow apps to access the private key** and **Prevent the private key data from being extracted from the keychain** based on your security requirements.
  </Step>

  <Step title="Save configuration">
    Click **Done**.
  </Step>
</Steps>

### Obtain an Identity Certificate Using SCEP

Using the Simple Certificate Enrollment Protocol (SCEP), you can obtain identity certificates.

<Steps>
  <Step title="Select SCEP Certificate Type">
    If you wish to have the client device acquire an identity certificate from a SCEP service, choose **SCEP** for an **Identity certificate**.
  </Step>

  <Step title="Configure SCEP Certificate">
    Click **Configure SCEP Certificate**. A drawer opens to allow you to configure SCEP options.

    <Frame>
      <img src="https://mintcdn.com/iru/31OfB-o1LvAjxToj/assets/media/images/8hcdxaulseiecghqdntvojs4jz4dhjlmia.png?fit=max&auto=format&n=31OfB-o1LvAjxToj&q=85&s=e5d3b0b17608249fa3629cfe29285db5" alt="Identity certificate Configure SCEP Certificate drawer with SCEP options" width="2464" height="732" data-path="assets/media/images/8hcdxaulseiecghqdntvojs4jz4dhjlmia.png" />
    </Frame>
  </Step>

  <Step title="Configure SCEP Server Details">
    Enter the URL for the SCEP server for **URL**. Optionally, specify a **Name** as needed by your SCEP server (often the name of the CA where the SCEP service is requesting a certificate). Optionally, enter the pre-shared key as the **Challenge** the SCEP server expects. Optionally, enter the expected **Fingerprint** of the certificate authority's certificate.
  </Step>

  <Step title="Configure Certificate Subject">
    Optionally, provide the name you want to appear as the certificate identity's **Subject**. You can use a static value or a global variable, such as CN=\$EMAIL.
  </Step>

  <Step title="Configure Subject Alternative Names">
    Select **Specify Subject Alternative Names (SAN)** if you want to provide SANs for the certificate identity. For each SAN you would like to provide, click **Add SAN Type**, select the SAN type you want to add: **DNS Name**, **RFC 822 Name**, **Uniform Resource Identifier**, or **NT Principal Name**, and enter the associated value you would like to add for each SAN type. You can use a static value or use a global variable.
  </Step>

  <Step title="Configure Key Settings">
    Choose the **Key size**. Work with your network administrator to ensure you choose a compatible key size; longer keys generally provide stronger security. For **Key usage**, choose whether to allow the keys to be used for **Signing**, **Encryption**, **Both signing and encryption**, or **None**. Work with your network administrator to determine which entitlements are necessary.

    <Frame>
      <img src="https://mintcdn.com/iru/Ly6qLp_EGhIu2ep-/assets/media/images/iru-configure-scep-details.png?fit=max&auto=format&n=Ly6qLp_EGhIu2ep-&q=85&s=f8ec74ea0b5dc3de4d3cc092a7f10ce1" alt="SCEP Certificate details configuration interface" width="1962" height="1970" data-path="assets/media/images/iru-configure-scep-details.png" />
    </Frame>
  </Step>

  <Step title="Configure Retry Settings">
    If you want the device to retry obtaining a certificate if the first attempt fails automatically, select **Retries**, then enter the number of retries to attempt. The default is 3. If you want to introduce a delay between retries, select **Retry delay** and specify the number of seconds between retries. The default is a 10-second delay between retries.
  </Step>

  <Step title="Configure Security and Access Settings">
    Select **Don't allow key to be extracted** to prevent exporting the certificate identity's private key from the macOS Keychain. Select **Allow access to all apps** if you want to automatically allow all apps to access and use the certificate identity's private key.
  </Step>

  <Step title="Configure Certificate Management">
    Select **Certificate expiration notification** and specify the number of days before the certificate expires to start notifying the user. The default is to notify the user 14 days before expiration. Select **Automatic profile redistribution** to automatically renew the certificate the specified number of days before it expires. The default is to automatically renew the certificate 30 days before expiration.

    <Note>
      When **Automatic profile redistribution** is enabled, specify a user global variable in the Subject Alternative Names (SAN) if user information is required in the certificate. This is necessary because the Wi-Fi Library Item ID is added to the Common Name in the certificate's subject to track certificate renewal.
    </Note>
  </Step>

  <Step title="Save SCEP Configuration">
    Click **Done** to save the SCEP certificate configuration.
  </Step>
</Steps>

### Import a PKCS #12 File

You can provide a single identity certificate for all configured devices by uploading a PKCS #12 formatted file. This means all devices will use the same certificate, making it harder for network administrators to identify individual devices by their login. However, it also means that if the certificate is compromised, it can be used to access the network. Revoking this certificate will block all configured devices from accessing the network.

<Steps>
  <Step title="Select PKCS #12 Certificate Type">
    If you wish to provide a certificate in PKCS #12 format, choose **PKCS #12** for the **Identity certificate**.
  </Step>

  <Step title="Configure PKCS #12 Certificate">
    Click **Configure PKCS #12** to open the **Configure PKCS #12** drawer.

    <Frame>
      <img src="https://mintcdn.com/iru/Pp4ndpzRp4nipP1L/assets/media/images/-9h-hfnqw9dpaygl4gqt-e3cbijbc0xgwq.png?fit=max&auto=format&n=Pp4ndpzRp4nipP1L&q=85&s=12ac4e58ecf3cbac3b8287defb66df71" alt="Configure PKCS 12 drawer opened from Identity certificate" width="2534" height="732" data-path="assets/media/images/-9h-hfnqw9dpaygl4gqt-e3cbijbc0xgwq.png" />
    </Frame>
  </Step>

  <Step title="Upload certificate">
    Upload the PKCS #12 encoded certificate for the **Certificate** (drag file or click to upload).
  </Step>

  <Step title="Enter password">
    In the **Password** field, provide the password for the certificate.
  </Step>

  <Step title="Configure Access and Security Settings">
    If you want apps to access the private key of the certificate, select **Allow apps to access the private key**.
  </Step>

  <Step title="Prevent private key extraction from keychain (optional)">
    If you do not want the user to be able to export the private key using the keychain, select **Prevent the private data from being extracted in the keychain**.

    <Frame>
      <img src="https://mintcdn.com/iru/2JN9EXN6FEm5sMxP/assets/media/images/3EVM-hBwT9BEmYe460wo79qHLGpfHbP3LQ.png?fit=max&auto=format&n=2JN9EXN6FEm5sMxP&q=85&s=62c07e8cb88ba015f35bef4af15241d1" alt="PKCS 12 option Prevent the private data from being extracted in the keychain" width="1379" height="2021" data-path="assets/media/images/3EVM-hBwT9BEmYe460wo79qHLGpfHbP3LQ.png" />
    </Frame>
  </Step>

  <Step title="Complete the configuration">
    Click **Done** to complete the PKCS #12 certificate configuration.
  </Step>
</Steps>

### Related Articles

<CardGroup cols={2}>
  <Card title="Network Authentication Overview" icon="wifi" href="/en/endpoint/networking-and-connectivity/network-authentication-overview">
    Compare Wi-Fi authentication types and when to use enterprise vs non-enterprise options
  </Card>

  <Card title="Configure the Wi-Fi Library Item" icon="wifi" href="/en/endpoint/library/library-items-profiles/configure-the-wi-fi-library-item">
    Configure the Wi-Fi Library Item for network deployment
  </Card>

  <Card title="Configure the Ethernet Library Item" icon="network-wired" href="/en/endpoint/library/library-items-profiles/configure-the-ethernet-library-item">
    Configure 802.1X authentication for wired networks
  </Card>

  <Card title="Configure EAP Extensible Authentication Protocol Types" icon="apple" href="/en/endpoint/library/deployment-guides/apple/configure-eap-extensible-authentication-protocol-types">
    Configure EAP types for 802.1X authentication
  </Card>
</CardGroup>
