Skip to main content

Deploying Enterprise Wi-Fi Certificates on ManageXR

Network certificate, self-signed CA certificate, SSL Certificate Network certificate, network security certificate

John Morgan avatar
Written by John Morgan
Updated over a week ago

Are you trying to deploy a certificate to a device? There are many ways to do this, and different types of certificates. The three major uses we see for certificates are:

  1. Deploying a User Certificate with a Wi-Fi profile to authenticate a device on a WPA2-Enterprise TLS network

  2. Deploying a CA Certificate to a Wi-Fi network for additional security on a WPA2-Enterprise network (PEAP, TLS, TTLS)

  3. Deploying a self-signed certificate to a device that is on a network with a Content Filtering System or Reverse Proxy to solve an SSL issue

This guide will walk you through how to accomplish each of these on ManageXR.

User Certificate for Wi-Fi Authentication

Behavior: Device requires a user certificate to authenticate with your Wi-Fi Network

Cause: TLS networks use certificates to authenticate devices

Solution: Find the correct user certificate by working with your IT admin and deploy it with the Wi-Fi profile in ManageXR

Enterprise Wi-Fi networks using EAP-TLS require a user certificate to determine whether a device is allowed to connect. This certificate identifies a specific user and signals to the RADIUS server that the device is authorized to join the network.

If you’re not setting up a network that uses EAP-TLS, this isn’t the right section for you!

FAQs & Troubleshooting: User Certificates

I deployed my user certificate — why isn’t my device connecting to the network?

If the certificate you've included is invalid or incorrect, your devices won't be able to connect to the network—meaning they'll stay offline and out of date.

If the user certificate looks valid but access is still being denied, the RADIUS server logs will usually show a rejection. Work with your IT Admin or service provider to review those logs. Once you've confirmed the issue, you'll need to update the certificate on ManageXR to correct it.

How do I correctly format my user certificate?

ManageXR requires the certificate in .pem format. User certificates are usually generated as .p12 or .pfx files. To use them with ManageXR, you’ll need to convert them to a .pem file—a text-based version that can be easily copied and pasted.

To convert a .p12 or .pfx, you can use OpenSSL. Run the following command: openssl pkcs12 -info -in FILE_PATH_TO_P12_FILE -nodes -out PATH_TO_EXPORTED_PEM_FILE. Detailed information about this process can be found in this article - Export Certificates and Private Key from a PKCS#12 File with OpenSSL.

Once you’ve created the .pem file, you can copy and paste it into the User Certificate field of your TLS-EAP Wi-Fi network on ManageXR.

Do I need to install the certificate?

No—this certificate is bundled into the Wi-Fi profile you deploy through ManageXR; it's not installed directly on the device. If someone has instructed you to manually install a certificate, it's likely you don't have the right type of certificate (a user certificate). In that case, you may need to try one of the other certificate options outlined in this guide.

CA Certificate for Wi-Fi Security

Behavior: Android 14 devices will not successfully deploy a Wi-Fi network without a CA Certificate + domain

Cause: Android 14 requires both a CA Certificate and domain to deploy Wi-Fi via an MDM (which beefs up security)

Solution: Find your CA Certificate using the guide below and attach it to the Wi-Fi profile in ManageXR

A CA Certificate (Certificate Authority Certificate) is a certificate used to verify the authenticity of other certificates—kind of like a trusted stamp of approval. It's often used with Wi-Fi networks to securely connect devices, especially when using enterprise-level networks (like ones that use RADIUS authentication).

While some devices don’t strictly require a CA Certificate to connect to Wi-Fi, Android 14 devices require it. This includes:

  • Pico 4 Ultra Enterprise (which runs Android 14)

  • Meta Quest devices running firmware version v76 or later

To avoid issues with Wi-Fi connectivity or network updates, we strongly recommend that you always include both:

  1. A CA Certificate

  2. A Domain field

Doing so not only ensures compatibility with all devices but also adds an important layer of security. It helps protect against Man-in-the-Middle attacks, where someone might try to impersonate your network’s authentication server (RADIUS) to steal sensitive credentials or certificates.

If you’d like to learn more about the background for this, we recommend checking out this article.

How do you find your CA Certificate?

The CA Certificate you use will be based on the certificate your RADIUS servers use. There are two main methods to find this certificate:

Method 1: Connect on a computer and find the certificate

Follow the instructions to view and export a CA certificate on your computer:

macOS Steps

How to Identify and Export a CA Certificate on macOS:

Step 1: Identify the CA from Network Settings

  1. Click the Wi-Fi icon in the top menu bar, then select Wi-Fi Settings (or Open Network Preferences).

  2. Select your connected Enterprise Wi-Fi network from the left sidebar.

  3. Click the Details... button (macOS Ventura or later) or Advanced... button (older macOS versions).

  4. In the 802.1X tab, look for the Authentication method (e.g., PEAP, EAP-TLS, etc.) and the identity/certificate name.

  5. Note the identity or user name listed—you’ll use this in the next step.

Step 2: Find the CA Certificate in Keychain Access

  1. Open Keychain Access (Applications > Utilities > Keychain Access.app).

  2. In the left sidebar, select the System or login keychain (Enterprise Wi-Fi CA certs typically appear in System).

  3. Under “Category,” click Certificates.

  4. Look for a certificate that matches the name or issuer used by your Wi-Fi network (e.g., your company or organization’s name).

Step 3: Verify the Correct Certificate

  1. Double-click the certificate you suspect is correct.

  2. Go to the Trust section and confirm it’s set to:

    • "Always Trust" or

    • "System Default" (and validated)

  3. Check the Details section to review the issuer, expiration date, and other relevant info.

Optional: Export the Certificate

  1. In Keychain Access, select the desired CA certificate.

  2. Right-click and choose Export.

  3. Save it as a .pem file (Base64-encoded format).

Windows Steps

Step 1: Open the Certificate Manager

  1. Press Windows Key + R to open the Run dialog.

  2. Type: certmgr.msc and press Enter.

Step 2: Locate the Trusted CA Certificate

  1. In the left panel, expand:
    Trusted Root Certification Authorities → Certificates

  2. Look for a certificate that matches the CA name you previously identified.
    (Typically, enterprise Wi-Fi CAs have recognizable names like your organization or network provider.)

Step 3: Verify the Certificate

  1. Double-click the certificate to open it.

  2. Check the Details, Issuer, and Validity Period to confirm it's the correct one.

Optional: Export the Certificate

  1. Right-click on the certificate.

  2. Select All Tasks → Export.

  3. Follow the wizard and choose the Base64-encoded (.pem) format when prompted.

Method 2: How to Find the Correct CA Certificate Using Your RADIUS Server Certificate

This method requires getting the certificate deployed on your RADIUS server, and then using it to identify the correct CA cert. Follow the instructions for your computer:

macOS Steps

Step 1: Get the Certificate from Your RADIUS Server

  1. Download or export the certificate that your RADIUS server uses.

  • Note, this certificate is not the CA certificate, but it will help you identify which CA certificate you need.

Step 2: Inspect the Certificate Using OpenSSL

Openssl comes by default on Macs, so you can just pop open a terminal and run this command

  1. Open Terminal on your Mac.

  2. Run the following command (replace the path with the location of your certificate):

    openssl x509 -text -in ~/path/to/certificate.pem

Step 3: Check If It's a CA Certificate

  1. Look for the "X509v3 extensions" section in the output.

  2. Find the part that says whether it is a “CA: TRUE” or is not a CA “CA: FALSE”.

  3. If it says FALSE, this is not a CA certificate. If TRUE, skip to step 6.

Step 4: Identify the CA Certificate Issuer

  1. In the same output, find the Issuer field near the top. This shows who issued the certificate (i.e., the CA).

  • Example: If the issuer is CN = Thawte TLS RSA CA G1, that’s the CA certificate you're looking for.

Step 5: Download the CA Certificate

  1. Go to the CA’s website. Most Certificate Authorities provide a page listing all their root certificates. For example, DigiCert’s certificate list is here: https://www.digicert.com/kb/digicert-root-certificates.htm

  2. Find and download the matching certificate in PEM format.
    e.g. (e.g., Thawte TLS RSA CA G1) in the example above:

Step 6: Use the CA Certificate with Your Wi-Fi Configuration

  1. Copy and paste the PEM formatted certificate to the CA Certificate field in your Wi-Fi network on ManageXR

Windows Steps

Step 1: Get the Certificate from Your RADIUS Server

  1. Download or export the certificate that your RADIUS server uses.

  • Note, This certificate is not the CA certificate, but it contains the issuer info you'll need to track down the CA.

Step 2: Open the Certificate in Windows

  1. Double-click the certificate file to open it.

  2. Switch to the Details tab.

  3. Scroll to find the field called "Issuer" — this tells you which Certificate Authority (CA) issued it.

Step 3: Confirm It’s Not a CA Certificate

  1. Still in the Details tab, look for the field called "Basic Constraints".

  2. It will say something like:

    • Subject Type=End Entity → This is not a CA certificate.

    • If it says Subject Type=CA, then this is a CA certificate. Skip to Step 5.

Most likely, your RADIUS server's certificate is an end-entity cert, so you’ll need to find its issuer’s CA cert.

Step 4: Download the Correct CA Certificate

  1. Go to the Certificate Authority’s website. Most CAs publish their root and intermediate certificates. For example, DigiCert's CA certs are available here: https://www.digicert.com/kb/digicert-root-certificates.htm

  2. Look for the certificate that matches the Issuer CN from Step 2

  3. Download it in PEM format

Step 5: Use the CA Certificate in Your Wi-Fi Configuration

  1. Copy and paste the PEM formatted certificate to the CA Certificate field in your Wi-Fi network on ManageXR

Testing a CA Certificate with a Wi-Fi Network in ManageXR

After obtaining the correct CA certificate and domain name, test the updated network settings on a single device using a test configuration in ManageXR.

To safely validate a CA certificate before deploying it broadly, follow these steps:

  1. Duplicate your existing Wi-Fi network in ManageXR and give it a nickname that clearly indicates it is for testing purposes.

  2. Add the CA certificate (in PEM format) and the domain name to this test Wi-Fi network only.

  3. Create a new configuration by duplicating your current configuration and replacing the Wi-Fi network with the test version that includes the certificate.

  4. Assign the new configuration to a single device to verify that it connects and authenticates as expected.

  5. Once the test is successful and the device behaves as intended, add the CA certificate to your main Wi-Fi network and remove the test network and configuration to keep your ManageXR configuration list clean.

Adding Self Signed CA Certificates for Content Filtering Systems

Behavior: Devices will connect to a network, but will not be able to communicate with the internet

Cause: Devices think their traffic is being intercepted, so will fail to send requests rather than risk exposing themselves

Solution: Upload your certificate file to the ManageXR Web Console and then reach out to support@managexr.com specifying which configuration(s) you would like the certificate to be deployed to.

A content filtering system monitors all outgoing traffic and then forwards it onwards to the internet so it can make sure internet use is only according to the policies set. As part of this, it basically performs a “Man-in-the-Middle” attack. If an untrusted third party was doing this, they would be trying to gain access to all of your web traffic! As a result, devices do not trust the additional certificate added as part of this system by default.

The solution to this is to install the certificate on the device. This usually means adding another CA Certificate. This is different from the above, because it gets installed at the device level so all applications can use it, as opposed to being attached to a specific Wi-Fi network.

Instructions

If your devices are connected to a Wi-Fi network and still can’t communicate with the internet, your network may use a Content Filtering System or Reverse Proxy. We recommend following these steps:

  1. Ask your admin if your network is using a Content Filtering System or a Reverse Proxy. If yes, proceed with steps 2-4:

  2. Work with your admin to gather your certificate and reach out to support@managexr.com to get it uploaded. The certificate will be formatted in either a .pem, .crt, or .cer file.

  3. Upload your certificate file to the Files library.

  4. Reach out to support@managexr.com and request that this cert be applied to a specific configuration. Please include the name of your organization and the configuration to which you wish to apply this cert in your support ticket.

FAQs & Troubleshooting: Self Signed CA Certs

How do I deploy the same cert on another configuration?

If you’d like to deploy the same certificate to another configuration in the future, you can simply duplicate the existing configuration - the new configuration will then also have the certificate attached.

Related Articles
Configure Wi-Fi Network Profiles
Enterprise Network Certificates: What Are They and What Are They Used For?
Device Alerts
Network Deployment Guide
Did this answer your question?