Install certificates in Apple devices
You can manually distribute certificates to Mac computers. When users receive a certificate, they double-click it to open Keychain Access and review the contents. If the certificate matches expectations, users select the desired keychain and click the Add button. Most user certificates need to be installed in the Login Keychain. When an identity certificate is installed, users are asked for the password that protects it. If a certificate’s authenticity can’t be verified, it’s shown as untrusted, and the user can decide whether to add it to the Mac.
Some certificate identities can be automatically renewed on Mac computers. See Automatically renew certificates delivered via a configuration profile.
Install certificates using configuration profiles
macOS supports three methods to deploy certificate identities with configuration profiles:
PKCS #12 identity certificate: If the identity is being provisioned off the device on behalf of the user or device, it can be packed into a PKCS #12 file (.p12 or .pfx) and protected with a password. If the payload contains the password, the identity can be installed without prompting the user for it.
SCEP: Using the Simple Certificate Enrollment Protocol (SCEP), the device places the certificate signing request directly to an enrollment server. With this technique, the private key remains only on the device.
Active Directory certificate: By configuring the Active Directory Certificate payload, macOS places a certificate signing request (CSR) directly with an Active Directory Certificate Services-server issuing CA via Remote Procedure Call (RPC). You can enroll machine identities using the credentials of the Mac computer’s object in Active Directory. Users can supply their credentials as part of the enrollment process to provision individual identities. Using the ADCertificate payload, administrators have additional control of private key usage and the certificate template for enrollment. As with SCEP, the private key remains on device.
To associate services with a particular identity, configure an Active Directory Certificate, SCEP, or certificate payload, then configure the desired service in the same configuration profile. For example, you can configure an ADCertificate payload to provision an identity for the device, and in the same configuration profile, a Wi-Fi payload can be configured for WPA2 Enterprise EAP-TLS using the device certificate that results from the ADCertificate enrollment for authentication.
Install certificates via Mail or Safari
You can send a certificate as an attachment to a mail message or host a certificate on a secure website where users download the certificate on their Apple devices.