Learn how to configure and deploy a certificate profile.
The Certificate library item allows you to upload certificates and certificate identities and deploy them to your Apple devices. You might want to use this library item if you are configuring services that require a valid certificate trust chain or apps that support certificate-based authentication.
Create a Certificate Profile
- Navigate to Library in the left-hand navigation bar.
- Select Add New from the upper right-hand corner.
- Select the Certificate library item and click Add & Configure.
- Give your library item a descriptive title.
- Assign the Certificate library item to a Blueprint.
- Configure the certificate options (see below).
- Click Save.
- Certificate type
Select the certificate type you are uploading.
- PKCS #1-formated certificate files have a file extension of .cer, .crt, or .der. They contain a certificate without a corresponding private key.
- PKCS #12-formated certificate files have a file extension of .p12 or .pfx. They contain a certificate and corresponding private key.
- Certificate name
Give the certificate a name that will appear on the configuration profile shown in System Preferences.
- Certificate password
This option appears when you select the PKCS #12-formatted certificate type. Enter the password used to decrypt the certificate identity.
Click to upload your certificate or certificate identity file. You can also drag it onto the Certificate box.
- Allow apps to access the private key
This option appears when you select the PKCS #12-formatted certificate type. By selecting it, all apps on the Mac will automatically be able to use the certificate identity. This is useful if you use the identity with apps or services that support certificate-based authentication. If you deselect this option, users with administrator privileges will need to use the Keychain app to allow the use of the certificate identity.
- Prevent the private key data from being extracted from the keychain
This option appears when you select the PKCS #12-formatted certificate type. It prevents the certificate identity’s private key from being exported from the macOS keychain, and ensures the identity is only used on Mac systems it was deployed to.