How to Create Certificate Profiles in Configuration Manager

To start the Create Certificate Profile Wizard

1. In the Configuration Manager console, click Assets and Compliance.

2. In the Assets and Compliance workspace, expand Compliance Settings, expand Company Resource Access, and then click Certificate Profiles.

3. On the Home tab, in the Create group, click Create Certificate Profile.

To provide general information about the certificate profile

1. On the General page of the Create Certificate Profile Wizard, specify the following information:

   - **Name**: Enter a unique name for the certificate profile. You can use a maximum of 256 characters.
   
   - **Description**: Provide a description that gives an overview of the certificate profile and other relevant information that helps to identify it in the Configuration Manager console. You can use a maximum of 256 characters.
   
   - **Specify the type of certificate profile that you want to create**: Choose one of the following certificate profile types:
   
       - **Trusted CA certificate**: Select this certificate profile type if you want to deploy a trusted root certification authority (CA) or intermediate CA certificate to form a certificate chain of trust when the user or device must authenticate another device. For example, the device might be a Remote Authentication Dial-In User Service (RADIUS) server or a virtual private network (VPN) server. You must also configure a trusted CA certificate profile before you can create a SCEP certificate profile. In this case, the trusted CA certificate must be the trusted root certificate for the CA that will issue the certificate to the user or device.
   
       - **Simple Certificate Enrollment Protocol (SCEP) settings**: Select this certificate profile type if you want to request a certificate for a user or device, by using the Simple Certificate Enrollment Protocol and the Network Device Enrollment Service role service.
   

To configure a trusted CA certificate

1. On the Trusted CA Certificate page of the Create Certificate Profile Wizard, specify the following information:

   - **Certificate file**: Click **Import** and then browse to the certificate file that you want to use.
   
   - **Destination store**: For devices that have more than one certificate store, select where to store the certificate. For devices that have only one store, this setting is ignored.
   

2. Use the Certificate thumbprint value to verify that you have imported the correct certificate.

To configure SCEP certificate information

1. On the SCEP Servers page, specify the URLS for Network Device Enrollment Service (NDES) servers that will issue certificates via SCEP. You can either assign a URL automatically from the Certificate Registration Point, or add URLs manually.

2. On the SCEP Enrollment page of the Create Certificate Profile Wizard, specify the following information:

   - **Retries**: Specify the number of times that the device automatically retries the certificate request to the server that is running the Network Device Enrollment Service. This setting supports the scenario where a CA manager must approve a certificate request before it is accepted. This setting is typically used for high-security environments or if you have a stand-alone issuing CA rather than an enterprise CA. You might also use this setting for testing purposes so that you can inspect the certificate request options before the issuing CA processes the certificate request. Use this setting with the **Retry delay (minutes)** setting.
   
   - **Retry delay (minutes)**: Specify the interval, in minutes, between each enrollment attempt when you use CA manager approval before the issuing CA processes the certificate request. If you use manager approval for testing purposes, you will probably want to specify a low value so that you are not waiting a long time for the device to retry the certificate request after you approve the request. However, if you use manager approval on a production network, you will probably want to specify a higher value to allow sufficient time for the CA administrator to check and approve or deny pending approvals.
   
   - **Renewal threshold (%)**: Specify the percentage of the certificate lifetime that remains before the device requests renewal of the certificate.
   
   - **Key Storage Provider (KSP)**: Specify where the key to the certificate will be stored. Choose from one of the following values:
   
       - **Install to Trusted Platform Module (TPM) if present**: Installs the key to the TPM. If the TPM is not present, the key will be installed to the storage provider for the software key.
   
       - **Install to Trusted Platform Module (TPM) otherwise fail**: Installs the key to the TPM. If the TPM module is not present, the installation will fail.
   
       - **Install to Passport for work otherwise fail**: This option is available in System Center Configuration Manager 2012 R2 and Configuration Manager 2012 R2 SP1 for Windows 10 Desktop and Mobile devices. It enrolls the key to **Passport for Work**. This option also enables you to **Require multi-factor authentication** during enrollment of devices before issuing certificates to those devices. See [Protect Windows devices with multi-factor authentication](https://technet.microsoft.com/en-us/library/dn889751.aspx) for more information.
   
       - **Install to Software Key Storage Provider**: Installs the key to the storage provider for the software key.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Devices for certificate enrollment**: If the certificate profile is deployed to a user collection, select whether to allow certificate enrollment on only the user's primary device or on all devices that the user logs on to. If the certificate profile is deployed to a device collection, select whether to allow certificate enrollment for only the primary user of the device or for all users that log on to the device.
   

3. On the Certificate Properties page of the Create Certificate Profile Wizard, specify the following information:

   - **Certificate template name**: Click **Browse** to select the name of a certificate template that the Network Device Enrollment Service is configured to use and that has been added to an issuing CA. To successfully browse to certificate templates, the user account that you are using to run the Configuration Manager console must have Read permission to the certificate template. Alternatively, if you cannot use **Browse**, type the name of the certificate template.
   
     <div class="alert">
   
   
     > [!IMPORTANT]
     > <P>If the certificate template name contains non-ASCII characters (for example, characters from the Chinese alphabet), the certificate will not be deployed. To ensure that the certificate is deployed, you must first create a copy of the certificate template on the CA and rename the copy by using ASCII characters.</P>
   
   
     </div>
   
     Note the following, depending on whether you browse to the certificate template or type the certificate name:
   
       - If you browse to select the name of the certificate template, some fields on the page are automatically populated from the certificate template. In some cases, you cannot change these values unless you choose a different certificate template.
   
       - If you type the name of the certificate template, make sure that the name exactly matches one of the certificate templates that are listed in the registry of the server that is running the Network Device Enrollment Service. Make sure that you specify the name of the certificate template and not the display name of the certificate template.
   
         To find the names of certificate templates, browse to the following key: HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MSCEP. You will see the certificate templates listed as the values for **EncryptionTemplate**, **GeneralPurposeTemplate**, and **SignatureTemplate**. By default, the value for all three certificate templates is **IPSECIntermediateOffline**, which maps to the template display name of **IPSec (Offline request)**.
   
         <div class="alert">
   
   
         > [!WARNING]
         > <P>Because Configuration Manager cannot verify the contents of the certificate template when you type the name of the certificate template rather than browse, you might be able to select options that the certificate template does not support and that will result in a failed certificate request. When this happens, you will see an error message for w3wp.exe in the CPR.log file that the template name in the certificate signing request (CSR) and the challenge do not match.</P>
         > <P>When you type the name of the certificate template that is specified for the <STRONG>GeneralPurposeTemplate</STRONG> value, you must select the <STRONG>Key encipherment</STRONG> and the <STRONG>Digital signature</STRONG> options for this certificate profile. However, if you want to enable only the <STRONG>Key encipherment</STRONG> option in this certificate profile, specify the certificate template name for the <STRONG>EncryptionTemplate</STRONG> key. Similarly, if you want to enable only the <STRONG>Digital signature</STRONG> option in this certificate profile, specify the certificate template name for the <STRONG>SignatureTemplate</STRONG> key.</P>
   
   
         </div>
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Certificate type**: Select whether the certificate will be deployed to a device or a user.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Subject name format**: From the list, select how Configuration Manager automatically creates the subject name in the certificate request. If the certificate is for a user, you can also include the user's email address in the subject name.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Subject alternative name**: Specify how Configuration Manager automatically creates the values for the subject alternative name (SAN) in the certificate request. For example, if you selected a user certificate type, you can include the user principal name (UPN) in the subject alternative name.
   
     <div class="alert">
   
   
     > [!TIP]
     > <P>If the client certificate will be used to authenticate to a Network Policy Server, you must set the subject alternative name to the UPN.</P>
   
   
     </div>
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
     <div class="alert">
   
   
     > [!IMPORTANT]
     > <P>iOS devices support limited subject name formats and subject alternative names in SCEP certificates. If you specify a format that is not supported, certificates will not be enrolled on iOS devices. When you configure a SCEP certificate profile to be deployed to iOS devices, use the <STRONG>Common name</STRONG> for the <STRONG>Subject name format</STRONG>, and <STRONG>DNS name</STRONG>, <STRONG>Email address</STRONG> or <STRONG>UPN</STRONG> for the <STRONG>Subject alternative name</STRONG>.</P>
   
   
     </div>
   
   - **Certificate validity period**: If you have run the certutil - setreg Policy\\EditFlags +EDITF\_ATTRIBUTEENDDATE command on the issuing CA, which allows a custom validity period, you can specify the amount of remaining time before the certificate expires. For more information about this command, see [Step 1: Install and Configure the Network Device Enrollment Service and Dependencies](dn270539\(v=technet.10\).md) in the [Configuring Certificate Profiles in Configuration Manager](dn270539\(v=technet.10\).md)topic.
   
     You can specify a value that is lower than the validity period in the specified certificate template, but not higher. For example, if the certificate validity period in the certificate template is two years, you can specify a value of one year but not a value of five years. The value must also be lower than the remaining validity period of the issuing CA’s certificate.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Key usage**: Specify key usage options for the certificate. You can choose from the following options:
   
       - **Key encipherment**: Allow key exchange only when the key is encrypted.
   
       - **Digital signature**: Allow key exchange only when a digital signature helps protect the key.
   
         If you selected a certificate template by using **Browse**, you might not be able to change these settings unless you select a different certificate template.
   
     The certificate template you selected must be configured with one or both of the two key usage options above. If it is not, you will see the message **Key usage in CSR and challenge do not match** in the certificate registration point log file, **Crp.log**.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Key size (bits)**: Select the size of the key in bits.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Extended key usage**: Click **Select** to add values for the certificate’s intended purpose. In most cases, the certificate will require **Client Authentication** so that the user or device can authenticate to a server. However, you can add any other key usages as required.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   
   - **Hash algorithm**: Select one of the available hash algorithm types to use with this certificate. Select the strongest level of security that the connecting devices support.
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P><STRONG>SHA-2</STRONG> supports SHA-256, SHA-384, and SHA-512. <STRONG>SHA-3</STRONG> supports only SHA-3.</P>
   
   
     </div>
   
   - **Root CA certificate**: Click **Select** to choose a root CA certificate profile that you have previously configured and deployed to the user or device. This CA certificate must be the root certificate for the CA that will issue the certificate that you are configuring in this certificate profile.
   
     <div class="alert">
   
   
     > [!IMPORTANT]
     > <P>If you specify a root CA certificate that is not deployed to the user or device, Configuration Manager will not initiate the certificate request that you are configuring in this certificate profile.</P>
   
   
     </div>
   
     <div class="alert">
   
   
     > [!NOTE]
     > <P>If you change this value after the certificate is deployed, the old certificate is deleted and a new certificate is requested.</P>
   
   
     </div>
   

To specify supported platforms for the certificate profile

• On the Supported Platforms page of the Create Certificate Profile Wizard, select the operating systems where you want to install the certificate profile. Or, click Select all to install the certificate profile to all available operating systems.