This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Hello everybody,
can you tell me how to deploy a Trusted Secure CA 5 using System Center Configuation Manager please.I know how to deploy an application but i don't know oh to deploy a "file.crt" using SCCM.
Thank you for your help.
regards,
Balbo
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 23%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Balbo
Here is an answer to your question that hopefully you find helpful!
In my lab, I did the following experiment to deploy a "file.crt" using SCCM for a reference:
The deployment of Certificate Profiles always consist out of two parts, deploying a root certificate followed by deploying a client certificate.
Part 1 – Root Certificate
In the Configuration Manager Console> Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
Right-click Certificate Profiles, in the Create group, click Create Certificate Profile and the Create Certificate Profile Wizard will popup.
On the General page, fill in with Name<Trusted Secure CA>, select Trusted CA certificate and click Next. Like below screenshot:
On the Trusted CA Certificate page, browse (by clicking on Import) to the exported root certificate, select Computer certificate store – Root and click Next. Like below screenshot:
On the Supported Platforms page, select Windows 10 and click Next. Like below screenshot:
On the Summary page click Next. On the Completion page click Close.
Now the configuration is created it’s time for the deployment. An important step of this deployment is the remediation. So to deploy and remediate the Certificate Profile follow the next steps:
In the Configuration Manager Console> Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
Select the new item <Trusted Secure CA> and on the Home tab, in the Deployment group, click Deploy and the Deploy Trusted CA Certificate Profile popup will show.
On the Deploy Trusted CA Certificate Profile popup, browse to a device collection and click Ok. Like below screenshot:
Part 2 – Client Certificate
After the Certificate Profile for the root certificate is deployed, it’s time to start with the configuration and deployment of a Certificate Profile for the client certificate. It’s important to note that a root certificate has to be deployed to enable a successful client certificate deployment. Also a Certificate Profile for the deployment of the root certificate is a prerequisite for a Certificate Profile for the deployment of a client certificate:
In the Configuration Manager Console> Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
Right-click Certificate Profiles, in the Create group, click Create Certificate Profile and the Create Certificate Profile Wizard will popup.
On the General page, fill in with Name <ConfigurationManagerClientCertificate>, select Simple Certificate Enrollment Protocol (SCEP) settings and click Next. Like below screenshot:
On the SCEP Enrollment page, select Install to Trusted Platform (TPM) if present, then select Allow certificate enrollment on any device and click Next. Like below screenshot:
On the Certificate Properties page select with Certificate template name <ConfigurationManagerClientCertificate>, select with Root CA certificate the previously created Certificate Profile and click Next(All the other settings will be filled automatically, but are customizable, based on the selected template, but Read rights on the selected template are necessary for the user.). Like below screenshot:
On the Supported Platforms page, select Windows 10 and click Next. On the Summary page click Next. On the Completion page click Close.
Now the configuration is created it’s again time for the deployment. And again an important step of this deployment is the remediation. So to deploy and remediate the Certificate Profile follow the next steps:
In the Configuration Manager Console> Assets and Compliance > Overview > Compliance Settings > Company Resource Access > Certificate Profiles.
Select the new item <ConfigurationManagerClientCertificate> and on the Home tab, in the Deployment group, click Deploy and the Deploy Trusted CA Certificate Profile popup will show.
On the Deploy Trusted CA Certificate Profile popup, browse to a device collection and click Ok.
The success or failures of this process could be followed in a new log file named CertEnrollAgent.log.
Another good place to look is a MMC with the Certificates snap-in, on the enrolled device. This will immediately show whether, or not the the Certificate Profile provided a successful enrollment of the a certificate.
If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Just checking in to see if there are any updates. Has this issue been solved?
Please feel free to feedback and if the reply is helpful, please kindly click “Mark as answer”. It would make the reply to the top and easier to be found for other people who has the similar question.