Certificates settings

Use the certificates payload to add certificates and identities to the device.

Note: Use the certificates payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.

iOS devices and Mac computers can use X.509 certificates with RSA keys. The formats and recognized file extensions are:

  • PKCS1: .cer, .crt, .der

  • PKCS12: .p12, .pfx

PKCS12 files also include the private key and contain exactly one identity. To ensure the protection of the private key, PKCS12 files are encrypted with a passphrase.

To add a certificate to the payload, click Add Certificate.

When you install a root certificate, you may also install the intermediate certificates to establish a chain to a trusted certificate that’s on the device. This can be important for technologies such as 802.1x. To view a list of preinstalled roots for iOS devices, see the Apple Support article List of available trusted root certificates. In OS X, use Keychain Access to view the System Roots keychain.

If the certificate or identity that you want to install is in your keychain, use Keychain Access to export it in .p12 format. Keychain Access is located in /Applications/Utilities/. For more information, see Keychain Access Help, available from the app’s Help menu.

To add an identity for use with Microsoft Exchange, Network, Single Sign-on, and VPN, use the appropriate payload.

When deploying a PKCS12 file, if you omit the certificate identity’s passphrase the user is asked to enter it when the profile is installed. The payload content is obfuscated, but not encrypted. If you include the passphrase, be sure the profile is available only to authorized users.

Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a webpage using that certificate (you shouldn’t host the certificate). Or, you can send certificates to users in a mail message. You can also use Simple Certificate Enrollment Protocol SCEP settings to specify how the device obtains certificates when the profile is installed.

You can add certificates by clicking the add payload button.