You’ve already set up Certificate-Based Authentication (CBA) in your tenant \u2014 your Root CA is uploaded, the authentication method is enabled, and username bindings are configured. Now you need to issue certificates for additional users. This guide covers generating, packaging, and deploying user certificates on both macOS and Windows, plus automating deployment for Windows Entra enrollment.<\/p>\n\n\n\n
rootCA.key<\/code> and rootCA.crt<\/code>) are accessible<\/li>\n\n\n\n- OpenSSL is installed on your machine<\/li>\n\n\n\n
- The new user’s account already exists in Entra ID and you know their UPN (e.g.,
jane@yourdomain.com<\/code>)<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nStep 1: Generate the User’s Private Key and CSR<\/h2>\n\n\n\n
Every user gets their own key pair and certificate. The critical requirement is including the user’s UPN in the Subject Alternative Name using the Microsoft UPN OID.<\/p>\n\n\n\n
On macOS \/ Linux<\/h3>\n\n\n\n
bash<\/p>\n\n\n\n
openssl genrsa -out jane-cba.key 2048\n\nopenssl req -new -key jane-cba.key \\\n -out jane-cba.csr \\\n -subj \"\/CN=jane@yourdomain.com\" \\\n -addext \"subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:jane@yourdomain.com\"<\/code><\/pre>\n\n\n\nOn Windows (PowerShell or Git Bash)<\/h3>\n\n\n\n
bash<\/p>\n\n\n\n
openssl genrsa -out jane-cba.key 2048\n\nopenssl req -new -key jane-cba.key -out jane-cba.csr -subj \"\/CN=jane@yourdomain.com\" -addext \"subjectAltName=otherName:1.3.6.1.4.1.311.20.2.3;UTF8:jane@yourdomain.com\"<\/code><\/pre>\n\n\n\nReplace jane@yourdomain.com<\/code> with the user’s actual UPN in Entra ID. The UPN must match exactly \u2014 including case \u2014 for the username binding to work.<\/p>\n\n\n\n
\n\n\n\nStep 2: Sign the Certificate with Your Root CA<\/h2>\n\n\n\n
bash<\/p>\n\n\n\n
openssl x509 -req -in jane-cba.csr \\\n -CA rootCA.crt -CAkey rootCA.key -CAcreateserial \\\n -out jane-cba.crt -days 365 -sha256 \\\n -copy_extensions copyall<\/code><\/pre>\n\n\n\nThe -copy_extensions copyall<\/code> flag is essential \u2014 it copies the SAN from the CSR into the signed certificate. Without it, the SAN is silently dropped and CBA authentication will fail.<\/p>\n\n\n\n
\n\n\n\nStep 3: Bundle into a .pfx File<\/h2>\n\n\n\nOn macOS<\/h3>\n\n\n\n
If you’re running OpenSSL 3.x (most modern Macs), use the -legacy<\/code> flag so macOS Keychain can read the file:<\/p>\n\n\n\nbash<\/p>\n\n\n\n
openssl pkcs12 -export -out jane-cba.pfx \\\n -inkey jane-cba.key \\\n -in jane-cba.crt \\\n -certfile rootCA.crt \\\n -legacy<\/code><\/pre>\n\n\n\nOn Windows<\/h3>\n\n\n\n
bash<\/p>\n\n\n\n
openssl pkcs12 -export -out jane-cba.pfx -inkey jane-cba.key -in jane-cba.crt -certfile rootCA.crt<\/code><\/pre>\n\n\n\nYou’ll be prompted for an export password. For manual installs, pick something secure. For automated deployments, you’ll embed this password in your deployment script, so be aware of that tradeoff.<\/p>\n\n\n\n
\nTip:<\/strong> When prompted interactively, avoid special characters like @<\/code>, !<\/code>, #<\/code> in the password \u2014 shells can interpret them unexpectedly. Stick to alphanumeric passwords to avoid “MAC verification failed” headaches.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\nStep 4: Import the Certificate on the User’s Machine<\/h2>\n\n\n\nOn macOS<\/h3>\n\n\n\n
Import both the user certificate and the root CA:<\/p>\n\n\n\n
bash<\/p>\n\n\n\n
security import jane-cba.pfx -k ~\/Library\/Keychains\/login.keychain-db -P \"YourPassword\"\nsecurity import rootCA.cer -k ~\/Library\/Keychains\/login.keychain-db<\/code><\/pre>\n\n\n\nIf the root CA was already imported on this machine (e.g., for another user), the second command will note it’s a duplicate, which is harmless.<\/p>\n\n\n\n
Troubleshooting: “MAC verification failed during PKCS12 import”<\/strong><\/p>\n\n\n\nThis means the .pfx<\/code> was created with OpenSSL 3.x’s newer encryption format. Recreate it with the -legacy<\/code> flag (see Step 3).<\/p>\n\n\n\nOn Windows \u2014 Manual Install<\/h3>\n\n\n\n
GUI method:<\/strong><\/p>\n\n\n\n\n- Double-click the
.pfx<\/code> file<\/li>\n\n\n\n- Select Current User<\/strong> as the store location<\/li>\n\n\n\n
- Enter the export password<\/li>\n\n\n\n
- Accept the defaults and complete the wizard<\/li>\n<\/ol>\n\n\n\n
Command line (run as Administrator):<\/strong><\/p>\n\n\n\npowershell<\/p>\n\n\n\n
certutil -addstore Root rootCA.cer\ncertutil -importpfx jane-cba.pfx<\/code><\/pre>\n\n\n\nYou’ll be prompted for the .pfx<\/code> password.<\/p>\n\n\n\nOn Windows \u2014 Automated via autounattend.xml<\/h3>\n\n\n\n
If you’re deploying Windows via USB with an unattended install, you can import the certificate automatically during setup.<\/p>\n\n\n\n
USB folder structure:<\/strong><\/p>\n\n\n\nESD-USB:\\\n\u251c\u2500\u2500 autounattend.xml\n\u2514\u2500\u2500 Certs\\\n \u251c\u2500\u2500 rootCA.cer\n \u2514\u2500\u2500 jane-cba.pfx<\/code><\/pre>\n\n\n\nAdd this to your autounattend.xml<\/strong> inside the appropriate settings pass (e.g., oobeSystem<\/code> or specialize<\/code>):<\/p>\n\n\n\nxml<\/p>\n\n\n\n
<RunSynchronousCommand wcm:action=\"add\">\n <Order>1<\/Order>\n <Path>powershell -ExecutionPolicy Bypass -Command \"$d=(Get-Volume -FileSystemLabel 'ESD-USB').DriveLetter; certutil -addstore Root ${d}:\\Certs\\rootCA.cer; certutil -importpfx -p 'YourPassword' ${d}:\\Certs\\jane-cba.pfx\"<\/Path>\n <Description>Import CBA Certificates<\/Description>\n<\/RunSynchronousCommand><\/code><\/pre>\n\n\n\nThis command dynamically finds the USB drive by its volume label (ESD-USB<\/code>), so it works regardless of which drive letter Windows assigns.<\/p>\n\n\n\n\nSecurity note:<\/strong> The .pfx<\/code> password is stored in plaintext in the XML. Treat the USB as a sensitive asset, and consider wiping or rotating the certificate after deployment.<\/p>\n<\/blockquote>\n\n\n\n
\n\n\n\nStep 5: Test the Login<\/h2>\n\n\n\n\n- Fully quit the browser<\/strong> (Cmd+Q on macOS, or close all windows on Windows)<\/li>\n\n\n\n
- Open the browser and go to https:\/\/login.microsoftonline.com<\/a><\/li>\n\n\n\n
- Enter the user’s email address<\/li>\n\n\n\n
- Choose “Use a certificate or smart card”<\/strong><\/li>\n\n\n\n
- Select the certificate from the picker dialog<\/li>\n\n\n\n
- On macOS, enter the Mac login password when the Keychain prompt appears \u2014 click Always Allow<\/strong> to avoid being asked again<\/li>\n<\/ol>\n\n\n\n
\n\n\n\nStep 6: Set CBA as the Default Sign-In Method<\/h2>\n\n\n\n
After a successful first login with the certificate, the user can set CBA as their default authentication method:<\/p>\n\n\n\n