Designing an Exportable, Auto-Renewing Certificate Solution in Intune
To give your field devices certificates that both auto-renew and remain exportable, switch from pure SCEP to a PKCS certificate profile in Intune. The PKCS approach uses Microsoft’s Certificate Connector to issue certificates from your on-premises CA (or an Azure Key Vault CA) and supports exportable keys. Here’s how to set it up:
1. Deploy the Intune Certificate Connector
- On a Windows Server (2016 or later), install the Intune Certificate Connector.
- In the Endpoint Manager admin center, go to Tenant administration > Connectors and tokens > Certificate connectors, and add your new connector.
- Approve the service principal prompt to let Intune talk to your CA.
2. Create a PKCS Certificate Profile
- In the admin center, go to Devices > Configuration profiles > Create profile.
- Platform: Windows 10 and later
- Profile type: PKCS certificate
- Configure:
- Certificate template name: Pick (or create) a template on your CA that allows private key export.
- Key storage provider: Software Key Storage Provider (or Microsoft Software Key Storage Provider)
- Key Usage: As required by your app (e.g., Digital Signature, Key Encipherment)
- Subject name format and Subject alternative name: Match your app’s needs (ALT names, user/device).
- Exportable key: Yes (enables PFX or PEM conversion).
- Assign to your existing device group.
3. Configure Auto-Renewal
Intune with PKCS profiles automatically renews certificates before expiration if the device remains in scope of the profile. You can adjust the renewal threshold in the profile settings (default is 30 days before expiry).
4. Retrieve and Convert the Exportable Certificate
Once the PKCS profile is applied:
- The device stores the certificate in the Local Computer or Current User store.
- To export as PFX or PEM, run a script or use an automated process on the device: powershell
# Export to PFX $cert = Get-ChildItem Cert:\LocalMachine\My\<Thumbprint> $pw = ConvertTo-SecureString -String 'PfxPassword!' -Force -AsPlainText Export-PfxCertificate -Cert $cert -FilePath C:\Certs\devicecert.pfx -Password $pw # Convert PFX to PEM openssl pkcs12 -in C:\Certs\devicecert.pfx -out C:\Certs\devicecert.pem -nodes - Secure the PFX with a strong password and delete temporary files.
5. Roll-Out to Field Devices
- Assign the new PKCS profile alongside or instead of your existing SCEP and PEM deployments.
- Monitor in Devices > Monitor > Certificate status to ensure issuance and renewal.
- Remove the old PEM-based script/configuration once the PKCS solution is stable.
With this PKCS-based design, certificates remain exportable for your application’s PFX/PEM needs and renew seamlessly via Intune’s integration with your CA—no manual renewal steps required.
