Introduction
A customer recently asked me if they could deploy a new certificate from their internal certificate authority in Microsoft Intune, however, did not want to implement new SCEP infrastructure or change the existing SCEP configuration to support this new certificate.
So in this blog post, I will explain how you can deploy PKCS certificates when existing SCEP infrastructure is used within the environment.
PKCS
PKCS certificates are a type of certificate used in Microsoft Intune to enhance security and manage encryption. PKCS stands for Public Key Cryptography Standards, and these certificates are part of a family of standards for public key cryptography. Like SCEP certificates, a PKCS certificate is supported for authentication and S/MIME Signing.
Microsoft provide well detailed information about what enrolment methods and operating systems in Microsoft Intune support PKCS.
Note: this blog post is not for PKCS imported certificates
Deploying a PKCS Certificate when SCEP Infrastructure is in Production
Because deploying PKCS certificates is fairly straight forward and there's plenty of blog posts and Microsoft Learn pages on how to do it, I'm not going to go into detail on how to create a new internal Certificate Template and PKCS profile in Intune. As there is no difference in set up for this scenario! All we need to worry about is the Certificate Connector. So we'll start at the point when you're ready to install the Intune Certificate Connector.
Now, as there will already be a Certificate Connector installed to support the existing SCEP deployment, we need to be aware of how Intune uses Certificate Connectors to support PKCS.
Intune can use any Certificate Connector which is active and connected to your Intune tenant to deploy PKCS certificates if any Connector Connector has been configured to support PKCS. This is important to know because if your Certificate Connector installed on your NDES server is not configured to support PKCS, Intune will not use this Certificate Connector (which would be a typical configuration set up).
To validate if you're Certificate Connector has been configured to support PKCS you'll need to re-rerun the Certificate Connector configuration wizard (as Administrator) typically located here.
"C:\Program Files\Microsoft Intune\PFXCertificateConnector\ConnectorUI\PFXCertificateConnectorUI.exe"
If your existing Certificate Connector has been configured for PKCS, Intune can use this Certificate Connector as part of the PKCS process as stated above. This means if you leave this configuration unchanged, you'll run into Connector errors like "event ID 1001: Failed to process PKCS request" when deploying the PKCS certificate in Intune. This will be due to permissions not being configured correctly for the Connector on your new PKCS certificate template.
Richard Hicks provides a good blog for fixing permissions errors for PKCS certificates for reference.
Best Practice Recommendation
For the scenario in this blog, my recommendation would be to create a new certificate connector and if applicable, remove PKCS from the existing Certificate Connector configuration (again it's unlikely you've allowed PKCS in the Certificate Connector for a SCEP deployment). The new Connector should be deployed on a new member server and should meet all Connector prerequisites.
This will allow you to create a new Connector service account and configure applicable account and connector permissions on your new PKCS template. Allowing for a nice separation of required PKCS and SCEP infrastructure.
Additional Information
You can also follow a similar process if you wish to migrate from SCEP certificates to PKCS in Intune. Which I may write a separate blog post about but essentially the infrastructure will look similar to the above. You'd just to need to revoke existing SCEP certificates and swap over any WIFI or VPN profiles in Intune to use the new PKCS certificate.