1
00:00:01,940 --> 00:00:04,620
So the process of creating a user authentication

2
00:00:04,620 --> 00:00:07,590
certificate using PKCS is quite similar.

3
00:00:07,590 --> 00:00:09,440
So we'll go through the same steps here.

4
00:00:09,440 --> 00:00:13,240
So we'll go to Devices,

5
00:00:13,240 --> 00:00:20,070
Configuration profiles, and then we'll select Create profile. And once

6
00:00:20,070 --> 00:00:26,940
again select Windows 10, Templates, and PKCS certificate.

7
00:00:26,940 --> 00:00:34,840
So we'll click Create, and we'll give this one another name. Choose Next.

8
00:00:34,840 --> 00:00:41,260
And once again, 20% is the kind of standard there. Validity period 1 year.

9
00:00:41,260 --> 00:00:45,840
KSP, same thing. We want to enroll two KSP, otherwise fail.

10
00:00:45,840 --> 00:00:49,790
Our CA, again, is our CA servers, or in this case, the

11
00:00:49,790 --> 00:00:54,140
issuing CA's fully qualified domain name.

12
00:00:54,140 --> 00:01:00,240
And we'll paste in our CA authority name here as well.

13
00:01:00,240 --> 00:01:04,110
And the template name is, again, this is the same template as we used before.

14
00:01:04,110 --> 00:01:08,570
Again, you can use the same template, and whether or not it's a device or

15
00:01:08,570 --> 00:01:13,240
user certificate is really dictated here by this profile.

16
00:01:13,240 --> 00:01:17,250
And in this case, the Certificate type is a User certificate, so we'll leave

17
00:01:17,250 --> 00:01:20,580
that as the default. And then the Subject name format,

18
00:01:20,580 --> 00:01:25,750
the default here is okay, although I would caution you not to use the email

19
00:01:25,750 --> 00:01:28,730
address because if it's not present on the AD account,

20
00:01:28,730 --> 00:01:30,020
then it can cause problems.

21
00:01:30,020 --> 00:01:32,700
But the username will always be there, so I'm just going to remove

22
00:01:32,700 --> 00:01:36,710
that. And for the Subject alternative name here,

23
00:01:36,710 --> 00:01:41,600
I'm going to select UPN, and then I will enter a user principal

24
00:01:41,600 --> 00:01:45,480
name here in the curly braces. Scroll down.

25
00:01:45,480 --> 00:01:49,830
And for our Extended key usage, again, we're going to use Client Authentication.

26
00:01:49,830 --> 00:01:52,670
It's the same for both Device and User certificates.

27
00:01:52,670 --> 00:01:54,720
They just require Client Authentication.

28
00:01:54,720 --> 00:01:57,740
So finally we'll choose Next,

29
00:01:57,740 --> 00:02:01,700
add a group here, and I'm going to assign this to my VPN Users because it's

30
00:02:01,700 --> 00:02:12,640
a User certificate. Next and Next again and then Create.

31
00:02:12,640 --> 00:02:16,510
And at that point, I have deployed a PKCS

32
00:02:16,510 --> 00:02:19,700
certificate for our Always On VPN users.

33
00:02:19,700 --> 00:02:26,000
Any users in that group now, once they sync within Intune, will pick up that certificate.