Install certificates in Apple devices
You can manually distribute certificates to iOS and iPadOS devices. When users receive a certificate, they tap to review the contents, then tap to add the certificate to the device. When an identity certificate is installed, users are asked for the password that protects it. If a certificate’s authenticity can’t be verified, it’s shown as untrusted, and the user can decide whether to add it to the device.
Install certificates using configuration profiles
iOS and iPadOS support two methods to deploy certificate identities with configuration profiles:
PKCS #12 identity certificate: If the identity is being provisioned off the device on behalf of the user or device, it can be packed into a PKCS #12 file (.p12 or .pfx) and protected with a password. If the payload contains the password, the identity can be installed without prompting the user for it.
SCEP: Using the Simple Certificate Enrollment Protocol (SCEP), the device places the certificate signing request directly to an enrollment server. With this technique, the private key remains only on the device.
To associate services with a particular identity, configure a SCEP or certificate payload, and then configure the desired service in the same configuration profile. For example, a SCEP payload can be configured to provision an identity for the device, and in the same configuration profile, a Wi-Fi payload can be configured for WPA2 Enterprise/EAP-TLS using the device certificate resulting from the SCEP enrollment for authentication.
Install certificates via Mail or Safari
You can send a certificate as an attachment to a mail message or host a certificate on a secure website where users download the certificate on their Apple devices.