Manage AD certificates in devices

You can use a certificate authority in the Active Directory Certificate Service to generate user and computer certificates for user and device authentication. In turn, you can use these certificates for log-in authentication in the Wi-Fi, VPN, and Exchange ActiveSync server profiles rather than an account’s user name and password. (See the Wi-Fi, VPN, and Exchange server profile configuration descriptions in Mobile device configuration policies overview for the details.)

This section only applies when you use the Active Directory Certificate Service to issue your certificate. If you are using the CyberArk Tenant Certificate Authority, you can skip this section. See How to select the policy service for device management.

To use certificates from your Active Directory certification authority, you must create user or computer certificate templates on the Windows Certificate Authority server used by the CyberArk Identity Connector. In addition, you need to configure the host computer for each of your CyberArk Identity Connectors so that it can revoke certificates. See Create the certificate templates.

After you create the templates, the certificates are automatically created for and then installed by CyberArk Identity when the user enrolls the device.

If you are using Active Directory group policy for device policy management, you can select the certification authority when you configure Device Policy Management—see Selecting Active Directory group policy. If you are using CyberArk Cloud Directory policy service for device policy management and select the Active Directory Certificate Service, CyberArk Identity uses the default Active Directory Certificate Services certification authority only.

In many cases, additional server configuration is required before you can use certificates for authentication. See your server’s documentation for the details.

The procedures in this section assume that you have a working Active Directory Certificate Services certificate authority within your domain and you have sufficient permissions to modify the settings.

In this section: