Certificates payload settings
The display name for the certificate.
Certificate or identity data
iOS, iPadOS, macOS and tvOS devices can use X.509 certificates with RSA keys. The formats and recognised file extensions are:
PKCS12 files also include the private key and contain exactly one identity. To ensure the protection of the private key, PKCS12 files are encrypted with a passphrase.
A passphrase that is used to secure the credentials.
When you install a root certificate, you may also install the intermediate certificates to establish a chain to a trusted certificate that’s on the device. This can be important for technologies such as 802.1X. To view a list of pre-installed roots for Apple devices, see the Apple Support articles:
If the certificate or identity you want to install is in your keychain, use Keychain Access to export it in .p12 format. Keychain Access is located in /Applications/Utilities/. See the Keychain Access User Guide.
To add an identity for use with Microsoft Exchange or Exchange ActiveSync, single sign-on, VPN, and network or Wi-Fi, use that specific payload.
When deploying a PKCS12 file, if you omit the certificate identity’s passphrase, users are asked to enter it when the profile is installed. The payload content is obfuscated, but not encrypted. If you include the passphrase, make sure the profile is available only to authorised users.
Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a web page using that certificate (you shouldn’t host the certificate). Or you can send certificates to users in a mail message. You can also use Simple Certificate Enrolment Protocol SCEP payload settings to specify how the device obtains certificates when the profile is installed.
Avoid trusting certificates manually
If a certificate is automatically installed from a payload from Profile Manager or installed using Apple Configurator 2, that certificate is fully trusted. If the certificate is manually installed by a profile that also contains a Profile Manager enrolment payload, the certificate is also given full trust. As a best practice, the certificate payload should be in the MDM enrolment profile to remove the step of manually trusting the certificate.