Certificate import RRS feed

  • Question

  • We have 3rd party P12 and 3rd party PFX certificates that we need to import to users. 

    What is the best method to do this with Intune.

    The SCEP connector is not applicable because the certificates are 3rd party certificates in p12 and pfx format.

    The certificates need to be imported to users and sometimes they log in to device1 and next day to device2

    Wednesday, August 22, 2018 12:18 PM


  • They're not as this would be totally insecure. Where and how would you deliver the password associated with the file (since it contains a private key)?

    Jason | | @jasonsandys

    Monday, August 27, 2018 3:32 PM

All replies

  • So, to clarify, you have certificates that need to be trusted by your users on their mobile devices?

    If so, see

    Jason | | @jasonsandys

    Wednesday, August 22, 2018 3:09 PM
  • Hi Jason,

    Yes we receive a P12 from a 3rd party company that we normally import in the user certificate store.

    We now want to use Intune for this.

    I read your article but that only works for CER files (and i have read it must be DER format) but we have P12 (and PFX). So this seems not applicable for us.

    But reading further i see 

    'Create a PKCS imported certificate profile' ->

    Followed the github and the article only mentions PFX not P12

    Then the article mentions in Intune

    1. Go to Intune > Device configuration > Profiles > Create profile.

    2. Enter the following properties:

      • Name for the profile
      • Optionally set a description
      • Platform to deploy the profile to
      • Set Profile type to PKCS imported certificate

    But i I choose windows 10 i only can choose PKCS certificate not the option PKCS imported certificate.

    What am i missing?

    Further down the article it does not mention where to select the certificate to deploy to users

    Again what am i missing?

    Wednesday, August 22, 2018 5:05 PM
  • What is this certificate used for?

    Is it the same certificate for all users?

    Does the import file contain the provate key?

    Jason | | @jasonsandys

    Wednesday, August 22, 2018 7:21 PM
  • It is used for accessing/login to a website.

    No all users have their own certificate and yes it has a private key.

    Im thinking of placing the certificate on a azure blob and create a PS script to import the certificate.

    Other option is to create a P12 import in a MSI file

    But is there no native option in Intune ?

    Wednesday, August 22, 2018 7:28 PM
  • Hi drikverhagen123,

    From the description, we have the option to use third-party certificatin authority SECP integration with Intune which looks like as below:

    Here is the details about using third-party certificatin authority with SCEP:

    However, there is no native option in Intune currently. You can give the feedback to the Intune

    Best regards,

    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact
    Thursday, August 23, 2018 6:45 AM
  • Hello Johnson,

    As you can see the SCEP and 3rd party option is not applicable to us.

    So if it is not native supported i'm curious how other people are deploying such certificates?

    Thursday, August 23, 2018 7:32 AM
  • They're not as this would be totally insecure. Where and how would you deliver the password associated with the file (since it contains a private key)?

    Jason | | @jasonsandys

    Monday, August 27, 2018 3:32 PM
  • Hi Jason,

    With PKCS12/PFX Import, you can actually deliver certificates securely. Before Certs are uploaded to Intune their passwords are encrypted with a client key. When a device is ready for the cert, the Cert is returned to the pfx connector on a client machine to decrypt the password and re-encrypts it with the device cert.

    More details can be found here:

    And dirkverhagen123, the "PKCS imported Certificate" is available for windows 10.

    Friday, October 18, 2019 11:06 PM
  • Clearly not something I knew about. Thank you for correcting.

    Jason | | @jasonsandys

    Saturday, October 19, 2019 3:24 PM