Skip to main content
This Library Item is available for Apple and Windows devices
You can upload certificates and deploy them to your Apple and Windows devices using the Certificate Library Item. This is useful when you’re configuring services that need a valid certificate trust chain or apps that support certificate-based authentication.

Create a Certificate Profile

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give your Library Item a descriptive title.
2

Assign to Blueprint

Assign the Certificate library item to a Blueprint.

Apple Certificate Configuration

Select the certificate type you are deploying. Supported types include:
  • PKCS #1-formatted certificates (.cer, .crt, .der)
    • Contain a certificate without a corresponding private key.
  • PKCS #12-formatted certificates (.p12, .pfx)
    • Contain both a certificate and corresponding private key.

PKCS #1-formatted Certificates

To deploy a PKCS #1-formatted certificate, use the steps below:
1

Select certificate type

From the Certificate type drop-down, select PKCS #1-formatted certificate.
2

Upload certificate file

Under Certificate, upload your .cer, .crt, or .der file. You can also drag the file onto the upload box.
3

Enter certificate name

Enter a Certificate name. This is the display name of the certificate that will appear in System Settings on macOS.
4

Save configuration

Click Save to finish configuration.
PKCS #1 certificates contain only the certificate itself and do not include a private key. If your workflow requires both a certificate and private key, use a PKCS #12-formatted certificate instead.

PKCS #12-formatted Certificates

When you select PKCS #12-formatted certificate, follow these steps to configure it for your environment.
1

Enter certificate password

Certificate password - This option appears when you select the PKCS #12-formatted certificate type. Enter the password used to decrypt the certificate identity.
2

Upload certificate file

Certificate - Click to upload your certificate or certificate identity file. You can also drag it onto the Certificate box.
3

Enter certificate name

Certificate name - Give the certificate a name that will appear on the configuration profile.
4

Configure app access to private key

Allow apps to access the private key - This option appears when you select the PKCS #12-formatted certificate type. By selecting it, all apps will automatically be able to use the certificate identity. This is useful when you’re setting up apps or services that require certificate-based authentication.
If you deselect this option, users with administrator privileges will need to use the Keychain app to allow the use of the certificate identity.
5

Configure keychain protection

Prevent the private key data from being extracted from the keychain - This option appears when you select the PKCS #12-formatted certificate type. This prevents the private key from being exported from the macOS keychain and ensures the identity stays on the Mac where it was deployed.
6

Save configuration

Click Save when finished.

Troubleshooting

Certificates Marked as Untrusted
When you deploy a device certificate, include the complete certificate trust chain:
  • The device certificate
  • Any intermediate certificates
  • The root certificate
Certificate trust chains work hierarchically, starting with a trusted root certificate, passing through intermediates, and ending with the device certificate. Each certificate vouches for the next, creating a verifiable path back to a trusted source.If any part of the chain is missing, devices may mark the certificate as untrusted. This can lead to connection issues or warnings. Make sure you upload and deploy the full chain.