Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-4283: Creating templates to use certificates for authentication with cloud enrolled devices

App Access Service ,  

15 July,16 at 10:28 PM

Applies To: Centrify Identity Service


Administrators can configure mobile device profiles so that the identity platform installs a certificate generated either by the Centrify cloud CA or the Active Directory Certificate Services certification authority designated in the Cloud Manager (see online help section Selecting the policy management tool).

The certificate, regardless of the policy source, is automatically generated and installed in the device when the user enrolls the device. When using a certificate for authentication be sure to set the “Provide client certificate” option in the profile.

If using the Centrify cloud policy service for device management policy, the Centrify cloud CA is used to generate certificates. If you’re using Active Directory group policy for device management policy, the Windows Certificate Authority server is used to generate certificates. You cannot have a hybrid in which, for example, you select the Centrify cloud policy service for device management policy but use the Windows Certificate Authority server to generate certificates.

Some configuration is necessary to Windows servers if you are using either source:
Note: This article outlines the process for creating certificate templates only for Mac and mobile devices enrolled into the Centrify Cloud Service. For Mac computers joined to Active Directory using the Centrify for Mac agent, please reference the Centrify Administrator's Guide for Mac OS X or the following Knowledge articles specific to Mac configuration and deployment:
The Centrify cloud connector and cloud service have the certificates created, deliver them to the device, and incorporate them into the authentication protocol. In many cases, especially for Exchange servers, additional server configuration is required before you can use certificates for authentication. See your server’s documentation for the details.
Note: Per Centrify Technical Support KB-4216 regarding Exchange PKI configuration, Admins may set the user’s Certificate Template on the Certification Authority and make sure that the Domain Users group in AD has the permission to auto-enroll the certificate. For general instructions for configuring Exchange 2010 authentication using PKI, see this Exchange 2010 PKI Authentication Configuration document.

Admins select certificate-based authentication in a Wi-Fi, VPN, or Exchange profile created in a group policy object using the Group Policy Management Editor. See Managing mobile device policies for the details. Before  using certificates for authentication, however, Admins must first create the certificate templates expected by the cloud proxy server.
There are two certificate templates to create:
Computer-ClientAuth (workstation template)
User-ClientAuth (user template) 
Note: The template name must be entered exactly as shown above, including the capital letters.
In some cases, you specify in the profile which certificate to use for authentication (for example, the iOS Wi-Fi profile) while others require you to use either the computer or the user certificate.
To simplify profile configuration, we recommend creating both templates. You use the Microsoft Management Console (MMC) on the certification authority server to create the templates.
Create the computer and user certificate templates:

      1. Open the MMC on the Windows server with the certification authority installed. You need the Certification Authority
snap-in installed to run this procedure.

User-added image
User-added image
User-added image
User-added image
User-added image
User-added image


      2. Expand the certification authority, right-click Certificate Templates, and click Manage.

User-added image


      3. Right-click Computer choose Duplicate Template.

User-added image

Note If you are creating the user template, Right-click User instead.

 User-added image


      4. Select Windows Server 2008 and click OK.

 User-added image


      5. In the Template display name: text box enter Computer-ClientAuth.
(This automatically fills in the Temple name: field too.). Set the Validity period: and Renewal period values.

 User-added image

Note If you are creating the user template, enter User-ClientAuth instead.
User-added image


      6. Click the Subject Name tab and select Supply in the request.

 User-added image


      7. Click the Security tab, select Authenticated Users and select the Read and Enroll permission.

 User-added image


      8. On the same tab, select Domain Computers and select the Read and Enroll permission. (The computer(s) hosting the proxy server should also be given the Enroll permission).

 User-added image

Note If you are creating the user template, select Domain Users
User-added image


      9. Click OK and close the Certificate Templates Console.

      10. In the MMC, right-click Certificate Templates, click New, and click Certificate Template to Issue.

User-added image


      11. Click Computer-ClientAuth and click OK.

User-added image
Note If you are creating the user template, select User-ClientAuth instead
User-added image


      12. Verify the new Certificate Template is displayed

User-added image

For additional information not covered in this guide or troubleshooting assistance, please review the
Centrify Online Help or Customer Support Portal at

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.