Use the certificates payload to add certificates and identities to the device.
Note: Use the certificates payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.
iOS and OS X devices can use X.509 certificates with RSA keys. The file extensions .cer, .crt, .der, .p12, and .pfx are recognized, and certificates in PKCS1 and PKCS12 format are supported. Use P12 (PKCS #12 standard) files that contain exactly one identity. To add a certificate to the payload, click Add Certificate.
When you install credentials, also install the intermediate certificates to establish a chain to a trusted certificate that’s on the device. To view a list of preinstalled roots for iOS devices, see the Apple Support article List of available trusted root certificates. In OS X, use Keychain Access to view the System Roots keychain.
To add an identity for use with Microsoft Exchange, use the Exchange settings.
If you omit the certificate’s passphrase, the user is asked to enter it when the profile is installed. Payload content is obfuscated, but not encrypted, to prevent casual snooping, so if you include the passphrase be sure it’s available only to authorized users.
Instead of installing certificates using a configuration profile, you can let users use Safari to download the certificates to their device from a webpage. Or, you can send certificates to users via a mail message. You can also use Simple Certificate Enrollment Protocol (SCEP) settings to specify how the device obtains certificates when the profile is installed.