Certificate Enrollment Gateway can authenticate to Microsoft Intune using one of the following authentication methods:

  • Password-based authentication: Certificate Enrollment Gateway authenticates to Microsoft Intune using an application key (also called an authentication key or client secret) generated in Microsoft Intune.
  • Certificate-based authentication: Certificate Enrollment Gateway authenticates to Microsoft Intune using a trusted certificate. The certificate must be imported into Microsoft Intune.

You cannot generate a TLS certificate using Microsoft Intune. You must generate a certificate using another tool, and then import the certificate into Microsoft Intune. Microsoft Intune and Certificate Enrollment Gateway must use the same certificate for authentication.

This section provides instructions about how you can use the TLS bootstrapping feature of Certificate Enrollment Gateway to generate a TLS certificate for certificate-based authentication. You can then import this certificate into Microsoft Intune.

To generate a TLS certificate file for certificate-based authentication using TLS bootstrapping

  1. Log in to the server hosting the Certificate Enrollment Gateway.

  2. Generate a TLS certificate (tls.crt) using the TLS bootstrapping feature of Certificate Enrollment Gateway. For instructions about using the TLS bootstrapping feature, see the Certificate Enrollment Gateway Deployment Guide. The value of the distinguished name (DN) does not need to be a fully qualified domain name (FQDN).
    You can now import the TLS certificate into Microsoft Intune as described in the following procedure. You must also complete the following steps to convert the TLS certificate (tls.crt) and associated private key (tls.key) into a PKCS #12 (P12) file. Certificate Enrollment Gateway requires a P12 file for certificate-based authentication to Microsoft Intune.

  3. To convert the PEM-formatted TLS certificate and private into a P12 file (AppKey.p12) for Certificate Enrollment Gateway, enter the following command:

    openssl pkcs12 -export -out AppKey.p12 -in tls.crt -inkey tls.key

    Certificate Enrollment Gateway requires a P12 file for certificate-based authentication to Microsoft Intune.

  4. When prompted, enter a password for the P12 file.
  5. Copy the P12 file you just created (AppKey.p12) file into the Certificate Enrollment Gateway configuration directory, the same directory hosting the config.yml file.
  6. Reload the Certificate Enrollment Gateway package to apply the changes.

To import the TLS certificate into Microsoft Intune

  1. Log in to the Microsoft Azure portal.
  2. Under Azure services, click Azure Active Directory.
  3. Click App Registrations.
  4. Select the application you created earlier for the CEG Service.
  5. Click Certificates & secrets.
  6. Click Upload certificate.
  7. Select the TLS certificate
  8. Click Add.
    Information about the certificate is displayed under the Certificates pane.