How to use Active Directory certificates in devices for authentication

You can use a certificate authority in the Active Directory Certificate Service to generate user and computer certificates for user and device authentication. In turn, you can use these certificates for log-in authentication in the Wi-Fi, VPN, and Exchange ActiveSync server profiles rather than an account’s user name and password.

Note:   This section only applies when you use the Active Directory Certificate Service to issue your certificate. If you are using the Centrify Tenant Certificate Authority, you can skip this section. See How to select the policy service for device management.

To use certificates from your Active Directory certification authority

  1. You must create user or computer certificate templates on the Windows Certificate Authority server used by the Centrify Connector. In addition, you need to configure the host computer for each of your Centrify Connectors so that it can revoke certificates. See Creating the certificate templates.
  2. After you create the templates, the certificates are automatically created for and then installed by Privileged Access Service when the user registers the device.
  • If you are using Active Directory group policy for device policy management, you can select the certification authority when you configure Device Policy Management—see Selecting Active Directory group policy. If you are using Centrify directory policy service for device policy management and select the Active Directory Certificate Service, Privileged Access Service uses the default Active Directory Certificate Services certification authority only.
  • In many cases, additional server configuration is required before you can use certificates for authentication. See your server’s documentation for the details.

The procedures in this section assume that you have a working Active Directory Certificate Services certificate authority within your domain and you have sufficient permissions to modify the settings.