EntryPoint is not a CA
The admin UI does not let you generate or sign certificates inside EntryPoint. The flow is always:- You (or your corporate PKI, or MDM provider) issue the client certificates.
- You upload the CA chain to EntryPoint on this page.
- EntryPoint validates the chain on every EAP-TLS attempt.
Upload trusted CAs
Open the Context and go to the relevant TLS configuration card:- For EAP-TLS with User Certificate — follows from enabling EAP-TLS at Context level.
- For EAP-TLS with Device Certificate — the same trusted-CA list, plus a per-Group Certificate Group Identifier to map one CA to multiple Groups.
Certificate revocation (CRL)
Configure a CRL URL for each trusted CA so EntryPoint can check whether a presented certificate has been revoked. Without a CRL, revoking a certificate in your corporate PKI has no effect on EntryPoint’s validation.Day-to-day operations
- Issuing a new cert → done outside EntryPoint, in your PKI / MDM. Just make sure it’s signed by a CA in the trusted list.
- Revoking a cert → revoke at the CA, ensure the CRL is refreshed, and optionally remove the Self-Service User or the MAC from the Group to block the device immediately rather than waiting for CRL refresh.
- CA rotation → upload the new CA, leave the old one in place until no cert chained to it is still in use, then remove the old CA.
What lives in the Group vs the Context
- Context level (this page) — trusted CAs and CRL URLs.
- Group level — Certificate Group Identifier. EntryPoint matches the identifier against an attribute in the client certificate (for example, an OU in the subject DN) to decide which Group the device belongs to. See Device certificates and Intune.
Related
Comparing variants
How EAP-TLS fits with PEAP, iPSK, and Radius Proxy.
Device certificates and Intune
Device-cert Groups and the Certificate Group Identifier.