Hello everyone, today we have a post from Intune Support Escalation Engineer Mingzhe Li. In this post, Mingzhe goes through the process of configuring the certificate template when using the Intune Certificate Connector to issue PKCS certificates from a Symantec PKI Manager Web Service to Intune managed devices. Symantec will be the ultimate authority when it comes to the requirements for issuing certificates from their Certification Authority service, but this should get you working in most scenarios.
=====
Introduction
Intune has the capability to deploy PKCS certificates from Symantec PKI Manager Web Service (referred as Symantec CA in this article). The process for configuring this is largely covered in the following docs page:
Set up Intune Certificate Connector for Symantec PKI Manager Web Service
However, we don’t go into a lot of detail regarding how to configure the certificate template itself so that it works correctly for Microsoft Intune. I recently had some experience setting this up in my lab so I thought I’d share that with you here in case you ever had the need to do the same.
Creating the certificate template in Symantec PKI Manager Web Service
You should start with our documentation on this here. When you get to the section titled Get the Certificate Profile OID it can be a little confusing on exactly how to configure the certificate template correctly as the docs don'y explicitly mention how to do this. Rather, it recommends that you contact Symantec support if you have any issues obtaining the Certificate Profile OID:
Here’s the process I follow when creating a certificate template in Symantec CA so that it works for Microsoft Intune. Please note that it is recommended to use this template for Intune PKCS deployment only as this has not been tested in other scenarios.
1. First we need to log on to the Symantec PKI Manager console and create a new certificate profile. To do this, click on Manage Certificate Profiles:
2. Now click on Add certificate profiles at the top (highlighted):
3. Select either Test mode or Production mode (either will work):
4. Select the Client Authentication option:
5. Enter a Certificate friendly name for your new template:
6. Click on Enrollment method and select PKI web services:
7. Click on Advanced options and delete Common Name (CN) using the “x”:
8. Now select Add field and select Common Name (CN), Webservice Request, then set Required to No. This is important as the certificate deployment will fail if this is set to Yes:
NOTE All the other advanced settings can be left with the default values, however you should match the validity period in the template with your Intune policy, and if the target is iOS you may want to deselect non-repudiation in the Key Usage (KU).
9. Save the certificate template, making note of the OID. When you click on the certificate template it is located on the right as shown here:
10. Now all you need to do is configure a PKCS certificate profile in Intune and deploy this to a group like you normally would, just make sure that Certificate template name matches the OID obtained when saving the certificate template on the Symantec CA. It is also important to keep the Certification authority and Certificate authority name exactly as shown below.
Once your devices receive the Intune certificate policy they should request and successfully receive a PKCS certificate from the Symantec CA.
Mingzhe Li
Intune Support Escalation Engineer
Microsoft