PKCS (Public-Key Cryptography Standards)

PKCS is a group of public-key cryptography standards developed by RSA Security. In MDM environments, PKCS#12 (.p12) files are commonly used to distribute identity certificates to devices, while PKCS#7 is used for signing and encrypting data, including configuration profiles.

What to Know

PKCS standards provide interoperable formats for cryptographic operations essential to MDM security. PKCS#12 files bundle private keys and certificates into password-protected containers for secure distribution to devices, enabling client certificate authentication for network access (Wi-Fi, VPN) and application authentication. PKCS#7 (CMS) provides standard formats for signing and encrypting data, used by Apple to sign configuration profiles and verify profile integrity. Without standardized formats like PKCS, different systems would use incompatible certificate and key formats, preventing interoperability.

PKCS#1 (RSA cryptography), PKCS#8 (private key info), and PKCS#10 (certificate requests) are also commonly encountered in MDM certificate workflows. SCEP, used for automated certificate enrollment, relies on PKCS standards for certificate request and response formats. Understanding PKCS formats helps troubleshoot certificate deployment issues, as format mismatches or corrupted files cause enrollment and authentication failures.

Common Scenarios

Enterprise IT: IT teams export PKCS#12 files from certificate authorities to deploy identity certificates via MDM for 802.1X Wi-Fi authentication or VPN access. P12 files require passwords for protection, which must be securely communicated to MDM admins and properly configured in MDM payloads. IT must understand certificate-key pair relationships — PKCS#12 files contain both the certificate and private key, while PKCS#7 files typically contain only certificates. Profile signing using PKCS#7 ensures deployed profiles haven’t been tampered with during transit.

MSP: MSPs managing certificate-based authentication for clients must handle PKCS#12 file generation, secure password management, and deployment via MDM profiles. Client-specific certificate requirements may involve different CA formats and PKCS variations that MSPs must convert or adapt. MSPs should implement secure workflows for handling PKCS#12 files, as they contain sensitive private keys that could enable network access if compromised. Certificate renewal workflows require generating new PKCS#12 files and redeploying profiles before existing certificates expire.

Education: School districts deploying certificate-based Wi-Fi authentication use PKCS#12 files to distribute unique device certificates via MDM, enabling network access control and device tracking. Education IT must balance security (unique per-device certificates) with operational simplicity (shared certificates across device groups). PKCS#12 password management is challenging at scale — some schools use the device serial number or empty passwords, while others implement automated workflows that inject passwords programmatically during enrollment.

In Addigy

Addigy supports deploying PKCS#12 certificates through configuration profiles, allowing admins to upload P12 files with their passwords and deploy them to managed devices. Addigy securely stores certificate passwords and handles the deployment workflow, installing identity certificates into device keychains where they’re accessible to Wi-Fi, VPN, and application authentication systems. Administrators can specify certificate usage constraints, determining which services can access deployed certificates.

When configuring certificate profiles in Addigy, admins upload PKCS#12 files and provide passwords through the admin console. Addigy validates certificate format and expiration before deployment, helping catch configuration errors. Addigy’s certificate management features include expiration tracking and deployment status visibility, helping admins maintain certificate hygiene across the managed fleet and plan renewal activities before certificates expire.