Have you been assigned to create User Certificates with Intune but don’t know where to start? You’ve come to the right place! In this post, we will go over what you need and how to get it set up.
To issue User Certificates in Intune you need a Certificate Authority that supports Intune SCEP; here are the ones recommended by Microsoft. This should also include a Certificate Revocation List (CRL) and, if your infrastructure requires one, an OCSP service as well. Luckily, if you use an Azure based Certificate Authority (CA) such as EZCA, all of this is hosted for you, meaning there is no infrastructure for you to manage.
Intune uses SCEP to issue certificates. Thankfully, you don’t have to know the details of how it is implemented, but the basics are: Intune sends the device a one-time password for the device to submit the certificate request to the CA; when the CA receives the request, it checks with Intune to see if the code is valid and it matches the user information; if the information matches, then the certificate is issued. Intune will also take care of revoking the certificate if the device or user are disabled, as well as renewing the certificate before it expires.
1) Register the Keytos application in your tenant and register the EZCA Intune application in your tenant. This allows EZCA to authenticate your users and check the certificate request status in Intune to then issue certificates to your Intune managed devices.
2) Create your EZCA instance in Azure.
3) Create your Intune CA.
4) Create your Intune device profiles and start issuing secure certificates to your users’ devices!
Now that we have created our Certificate Authority, we have to create the SCEP profiles to issue certificates to your users. Here is a step by step guide on creating user SCEP certificate profiles for Windows or creating user SCEP certificate profiles for Mac. Basically, what most applications use to authenticate the user is the subject alternative name, so we recommend having a User Principal Name Subject alt with {{UserPrincipalName}} as the value, and have the subject name be CN={{UserName}},E={{EmailAddress}} for legacy applications that still use the subject name as the username value.
One of the most common questions we get in our free PKI and identity assessments is, “How long should the user certificate be?” As with many things in cyber security, the answer is: It depends on your organization. We recommend making user certificates between 3-6 months. This allows for users to be on parental leave or any extended leave, and when they come back, their WiFi certificate still works allowing them to continue to authenticate to the network and then Intune will renew the certificate. We see some organizations also issuing 1 year or even 2 year certificates, however, we caution when such long certificates are issued because if there is high user turnover, then the certificate revocation lists can get fairly large creating a bigger load on your network (remember each time the certificate is used, the CRL must be checked to ensure the certificate has not been revoked).
Up until now, we have covered how to issue user certificates using Intune; however, you might have users that need certificates from devices that are not Intune-managed. Luckily, EZCA also supports other MDMs with regular SCEP issuance as well as in portal certificate issuance meaning that your users can use their existing AAD (Entra ID) identity, authenticate into our web portal and issue the certificate for their account. The best part about this is it also supports users from other tenants, meaning that if you have a contractor from another Entra ID tenant that requires a certificate they can go into the portal and as long as you have whitelisted them for your user certificate profile, they can self-service issue a certificate for their account.
Yes, certificates issued through Intune can be used for Entra CBA, as long as they have the right subject alternate name fields and you have registered the certificate authority as an Entra CBA Certificate Authority; however, you might want to read our blog on whether certificates are MFA since your Intune Certificate might not qualify as a Multi-factor authentication method – in that case, you might want to look into using a YubiKey for Entra CBA.
