Skip to main content
This Library Item is available for Apple and Windows devices
You can upload certificates and deploy them to your Apple and Windows devices using the Certificate Library Item. This is useful when you’re configuring services that need a valid certificate trust chain or apps that support certificate-based authentication. If your organization uses Microsoft Active Directory Certificate Services (AD CS), complete the tenant-side AD CS Integration: Overview and AD CS Integration: Configure the Integration so issuing CAs are available in Iru Endpoint. Use this Library Item to deploy root and intermediate trust chains from uploaded files. To request certificates from AD CS, add the AD CS certificate type in this same Library Item and follow AD CS Certificates below when that type appears for your tenant.

Create a Certificate Profile

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.
1

Name the Library Item

Give your Library Item a descriptive title.
2

Assign to Blueprint

Assign the Certificate Library Item to a Blueprint.

Apple Certificate Configuration

Select the certificate type you are deploying. Supported types include:
  • PKCS #1-formatted certificates (.cer, .crt, .der)
    • Contain a certificate without a corresponding private key.
  • PKCS #12-formatted certificates (.p12, .pfx)
    • Contain both a certificate and corresponding private key.

PKCS #1-formatted Certificates

To deploy a PKCS #1-formatted certificate, use the steps below:
1

Select certificate type

From the Certificate type drop-down, select PKCS #1-formatted certificate.
2

Upload certificate file

Under Certificate, upload your .cer, .crt, or .der file. You can also drag the file onto the upload box.
3

Enter certificate name

Enter a Certificate name. This is the display name of the certificate that will appear in System Settings on macOS.
4

Save configuration

Click Save to finish configuration.
PKCS #1 certificates contain only the certificate itself and do not include a private key. If your workflow requires both a certificate and private key, use a PKCS #12-formatted certificate instead.

PKCS #12-formatted Certificates

When you select PKCS #12-formatted certificate, follow these steps to configure it for your environment.
1

Enter certificate password

Certificate password - This option appears when you select the PKCS #12-formatted certificate type. Enter the password used to decrypt the certificate identity.
2

Upload certificate file

Certificate - Click to upload your certificate or certificate identity file. You can also drag it onto the Certificate box.
3

Enter certificate name

Certificate name - Give the certificate a name that will appear on the configuration profile.
4

Configure app access to private key

Allow apps to access the private key - This option appears when you select the PKCS #12-formatted certificate type. By selecting it, all apps will automatically be able to use the certificate identity. This is useful when you’re setting up apps or services that require certificate-based authentication.
If you deselect this option, users with administrator privileges will need to use the Keychain app to allow the use of the certificate identity.
5

Configure keychain protection

Prevent the private key data from being extracted from the keychain - This option appears when you select the PKCS #12-formatted certificate type. This prevents the private key from being exported from the macOS keychain and ensures the identity stays on the Mac where it was deployed.
6

Save configuration

Click Save when finished.

AD CS Certificates

If the AD CS certificate type is available in your tenant, use the steps below to configure a certificate request from Active Directory Certificate Services.
To deploy AD CS certificates, the AD CS integration must already be set up and configured.
1

Enter certificate name

Enter a Certificate name. This appears on the configuration profile in System Settings.
2

Enter certificate subject

Enter a Certificate subject used to identify the device within the certificate authority. You can use a static value or a global variable such as $SERIAL_NUMBER.
3

Add subject alternative names

Add any Subject Alternative Names (SANs) required for the certificate request.
4

Add strong mapping URI when required

To support strong certificate mapping requirements from Windows update KB5014754, add this URI SAN value: $ADCS_STRONG_MAPPING_ID.
5

Set template and AD CS server

Enter the Template name for the AD CS computer certificate template used to generate AD CS certificates, then select an AD CS server from the dropdown. AD CS servers are added during AD CS integration configuration.
6

Select key and private key options

Select a Key size. Optionally select Allow apps to access the private key and Prevent the private key data from being extracted from the keychain.
7

Save configuration

Click Save.

Troubleshooting

Certificates Marked as Untrusted
When you deploy a device certificate, include the complete certificate trust chain:
  • The device certificate
  • Any intermediate certificates
  • The root certificate
Certificate trust chains work hierarchically, starting with a trusted root certificate, passing through intermediates, and ending with the device certificate. Each certificate vouches for the next, creating a verifiable path back to a trusted source.If any part of the chain is missing, devices may mark the certificate as untrusted. This can lead to connection issues or warnings. Make sure you upload and deploy the full chain.