PKI Certificates

The PKI Certificates settings allow you to manage the certificate lifecycle directly in Jamf Pro. To ensure secure communication with the Apple Push Notification service (APNs), Jamf Pro requires a public key infrastructure (PKI) that supports certificate-based authentication. The PKI must include the following components:

  • A certificate authority (CA)

  • A signing certificate

  • A CA certificate

For more information on PKI and its components, see Security.

When configuring the PKI Certificates settings, you can choose the following options for the CA:

  • Use a built-in CA.

  • Integrate with a trusted third-party CA (Symantec).

  • Configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP).

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server, you can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

You can choose to use a built-in CA, integrate with a trusted third-party CA (Symantec), or configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP).

The PKI Certificates settings in Jamf Pro allow you to perform the following tasks:

  • View a list of active, expiring, inactive or all certificates issued by a CA.

  • Add a PKI certificate authority to the Jamf Pro Dashboard.

  • View details of a specific certificate that was issued.

  • Export a certificate list for a CA.

Using the Built-in CA

There is no configuration necessary to use the built-in CA—the signing and CA certificates are created and stored for you. The built-in CA is used by default to issue certificates to both computers and mobile devices. When devices that need a certificate check in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using the built-in CA, you can enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

You can use the PKI Certificates settings in Jamf Pro to perform the following tasks related to the built-in CA:

  • Download the built-in CA certificate.

  • View and revoke certificates issued by the built-in CA.

  • Create certificates using a Certificate Signing Request (CSR).

  • Create a backup of the built-in CA certificate.

Downloading the Built-in CA Certificate

You can use the PKI Certificates settings in Jamf Pro to download the CA certificate issued by the built-in CA.

Note: The CA certificate issued by the built-in CA is also stored in the System keychain in Keychain Access.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Download CA Certificate.

The certificate (.pem) downloads immediately.

Viewing or Revoking Built-in CA Certificates

You can view the following information for a certificate issued by the built-in CA:

  • Subject name

  • Serial number

  • Device name associated with the certificate

  • Username associated with certificate

  • CA configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  • Date/time revoked (if applicable)

You can also revoke a certificate issued by the built-in CA.

Warning: Revoking a certificate stops communication between Jamf Pro and the computer or mobile device that the certificate was issued to. You will need to re-enroll the computer or device to restore communication.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by the built-in CA is displayed.

  6. Click the certificate subject of the certificate you want to view or revoke.
    Information about the certificate is displayed.

  7. To revoke the certificate, click Revoke.
    The status of the certificate is changed to Revoked.

  8. Click Done to return to the list of built-in certificates.

Manually Creating a Built-in CA Certificate from a CSR

Depending on your environment, you may need to manually create a certificate from a certificate signing request (CSR). For example, you may need to do this if you have a clustered environment with Tomcat configured for working behind a load balancer. You can create this certificate using the PKI Certificates settings in Jamf Pro.

Note: The certificate created from the CSR is intended solely for purposes of communication between Jamf Pro and a managed computer or mobile device.

To create a certificate from a CSR, you need a request in Base64-encoded PEM format.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create Certificate from CSR.

  7. In the CSR field, paste the CS R.
    The request must begin with
    ----BEGIN CERTIFICATE REQUEST----
    and end with
    ----END CERTIFICATE REQUEST----

  8. Click Create.
    The certificate (.pem) is downloaded immediately.

  9. Click Back to return to the Built-in CA pane.

Creating a Backup of the Built-in CA Certificate

It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA and store it in a secure location.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create CA Backup.

  7. Create and verify a password to secure the backup of the built-in CA certificate.
    You will need to enter this password to restore the certificate backup.

  8. Click Create Backup.
    The backup file (.p12) is downloaded immediately.

  9. Click Back to return to the Built-in CA pane.

Integrating with a Symantec CA

In Jamf Pro, you can add Symantec as a certificate authority. Symantec certificates are managed in Jamf Pro using the Symantec Managed PKI service.

Use the PKI Certificates settings in Jamf Pro to perform the following tasks related to the Symantec CA:

  • Configure Symantec as a PKI provider.

  • View or refresh Symantec certificates.

  • Export Symantec certificates.

Once communication with Symantec is successfully established, you can define which certificate to deploy to computers or mobile devices. For more information on how to issue Symantec certificates to computer and mobile devices, see the following Knowledge Base article:

Issuing Symantec Certificates to Computers and Mobile Devices in Jamf Pro

Note: Inventory information for a user must be complete to properly issue a Symantec certificate to a computer or mobile device. Symantec certificates will not be issued or issued with missing attributes if there is incomplete data in inventory information for a user in Jamf Pro.

Requirements

To integrate with Symantec as a CA, you need:

  • Symantec Managed PKI service

  • Web browser with Symantec PKI Client

  • Administrator certificate from Symantec added to your local keychain

Configure Symantec as a PKI Provider

Adding Symantec as a PKI Provider allows you to add Symantec certificates in Jamf Pro and issue them to computers and mobile devices.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. Click the Certificate Authority tab, and then click Configure New Certificate Authority.

  6. Select Symantec. Follow the onscreen instructions to configure Symantec as the PKI provider.

The newly configured CA is listed on the Certificate Authorities pane.

View or Refresh Symantec Certificates

You can view the following information for a certificate issued by Symantec:

  • Subject name

  • Serial number

  • Device name associated with certificate

  • Username associated with certificate

  • CA Configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  • Configuration profiles associated with the certificate

In Jamf Pro, you can also refresh the status of a certificate issued by Symantec. Refreshing a certificate starts communication between Jamf Pro and Symantec to display the current status of the certificate.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by Symantec is displayed.

  6. Click on the certificate subject of the certificate you want to view.
    Information about the certificate is displayed.

  7. To refresh the certificate status, click Refresh Certificate Status.
    The status of the certificate is displayed as Active, Revoked or Expired.

  8. Click Done to return to the list of certificates.

Export Symantec Certificates

The Symantec certificates displayed in PKI Certificates can be exported from Jamf Pro to the following file formats:

  • Comma-separated values file (.csv)

  • Tab delimited text file (.txt)

  • XML file

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of all certificates issued by Symantec is displayed.

  6. Click Export.

  7. Select the appropriate file format to use for the export and click Next.
    The export begins immediately.

  8. Once the certificates have been exported, click Done.

Integrating with an External CA

If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices. When devices that need a certificate check in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Integrating an external CA with Jamf Pro involves the following steps:

  • Specify SCEP parameters for the external CA.

  • Upload a signing certificate and CA certificate for the external CA.

Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is recommended that you contact your Jamf account representative. Changes to the PKI could lead to re-enrolling the mobile devices in your environment.

Specifying SCEP Parameters for an External CA

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. Click Edit.

  7. Select the Use External Certificate Authority checkbox.
    Note: When this option is selected, you can enable Jamf Pro as SCEP Proxy for device enrollment. (For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.)

  8. Use the External CA pane to specify SCEP parameters.

  9. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • If you want all computers and mobile devices to use the same challenge password, choose “Static” and specify a challenge password.
      The challenge password will be used as the pre-shared secret for automatic enrollment.

    • If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic”.
      The Dynamic challenge type requires use of the Jamf API and membership in the Jamf Developer Program. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.

    • If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic-Microsoft CA”.

    Note: If you choose the “Dynamic” or “Dynamic-Microsoft CA” challenge type, you must use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices.

  10. Click Save.

Uploading Signing and CA Certificates for an External CA

To integrate an external CA with Jamf Pro, you need to provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) to Jamf Pro that contains both certificates.

Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.

An assistant guides you through the process of uploading the keystore that contains the signing and CA certificates.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/16442327/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/16442327/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. At the bottom of the E xternal CA pane, click Change Signing and CA Certificates.

  7. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

Related Information

For related information, see the following section in this guide:

Push Certificates
Learn how to create a push certificate and upload it to Jamf Pro so Jamf Pro can communicate with Apple Push Notification service (APNs).

For related information, see the following Knowledge Base articles:

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.