Skip to main content
This Library Item is available for Apple and Windows devices
You can upload certificates and deploy them to your Apple and Windows devices using the Certificate Library Item. This is useful when you’re configuring services that need a valid certificate trust chain or apps that support certificate-based authentication.

Create a Certificate Profile

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give your Library Item a descriptive title.
2

Assign to Blueprint

Assign the Certificate library item to a Blueprint.
  • Apple
  • Windows

Apple Certificate Configuration

Select the certificate type you are deploying. Supported types include:
  • PKCS #1-formatted certificates (.cer, .crt, .der)
    • Contain a certificate without a corresponding private key.
  • PKCS #12-formatted certificates (.p12, .pfx)
    • Contain both a certificate and corresponding private key.
  • AD CS Certificates
    • Generated from a Microsoft Active Directory Certificate Services (AD CS) PKI environment.

PKCS #1-formatted Certificates

To deploy a PKCS #1-formatted certificate, use the steps below:
1

Select certificate type

From the Certificate type drop-down, select PKCS #1-formatted certificate.
2

Upload certificate file

Under Certificate, upload your .cer, .crt, or .der file. You can also drag the file onto the upload box.
3

Enter certificate name

Enter a Certificate name. This is the display name of the certificate that will appear in System Settings on macOS.
4

Save configuration

Click Save to finish configuration.
PKCS #1 certificates contain only the certificate itself and do not include a private key. If your workflow requires both a certificate and private key, use a PKCS #12-formatted certificate instead.

PKCS #12-formatted Certificates

When you select PKCS #12-formatted certificate, follow these steps to configure it for your environment.
1

Enter certificate password

Certificate password - This option appears when you select the PKCS #12-formatted certificate type. Enter the password used to decrypt the certificate identity.
2

Upload certificate file

Certificate - Click to upload your certificate or certificate identity file. You can also drag it onto the Certificate box.
3

Enter certificate name

Certificate name - Give the certificate a name that will appear on the configuration profile.
4

Configure app access to private key

Allow apps to access the private key - This option appears when you select the PKCS #12-formatted certificate or AD CS Certificate types. By selecting it, all apps will automatically be able to use the certificate identity. This is useful when you’re setting up apps or services that require certificate-based authentication.
If you deselect this option, users with administrator privileges will need to use the Keychain app to allow the use of the certificate identity.
5

Configure keychain protection

Prevent the private key data from being extracted from the keychain - This option appears when you select the PKCS #12-formatted certificate or AD CS Certificate types. This prevents the private key from being exported from the macOS keychain and ensures the identity stays on the Mac where it was deployed.
6

Save configuration

Click Save when finished.

AD CS Certificates

Apple devices only: AD CS certificates are only available for Apple devices.
When you select AD CS certificate, follow these steps to configure it for your environment.
To deploy AD CS certificates via Iru Endpoint, the AD CS Integration must first be set up and configured.
1

Enter certificate name

Enter a Certificate name. This will appear on the configuration profile.
2

Configure certificate subject

Enter a Certificate subject. The Certificate subject identifies the device within the Certificate Authority. You can use anything you’d like, such as the Iru Endpoint Global Variable $SERIAL_NUMBER. The $SERIAL_NUMBER global variable inserts the device serial number into the profile before sending it to the device.
3

Specify Subject Alternative Names

Specify additional Subject Alternative Names (SANs) to be sent in the request. To support Strong Certificate Mapping (required since Windows Update KB5014754 for enhanced security), add the following ADCS Strong mapping ID Uniform Resource Identifier (URI): $ADCS_STRONG_MAPPING_ID
4

5

Enter template name

Enter a Template name. This is the name of the AD CS computer certificate template used to generate AD CS certificates.
6

Select AD CS server

Select an AD CS server from the drop-down menu. AD CS servers are added during the setup of the AD CS integration.
7

Select key size

Select a Key size for the certificate.
8

Configure app access to private key (optional)

Optionally, select Allow apps to access the private key. This is useful when you’re setting up apps that support certificate-based authentication.
9

Configure keychain protection (optional)

Optionally, select Prevent the private key data from being extracted from the keychain.
10

Save configuration

Click Save.

Troubleshooting

Certificates Marked as Untrusted
When you deploy a device certificate, include the complete certificate trust chain:
  • The device certificate
  • Any intermediate certificates
  • The root certificate
Certificate trust chains work hierarchically, starting with a trusted root certificate, passing through intermediates, and ending with the device certificate. Each certificate vouches for the next, creating a verifiable path back to a trusted source.If any part of the chain is missing, devices may mark the certificate as untrusted. This can lead to connection issues or warnings. Make sure you upload and deploy the full chain.