PKI Certificates

The PKI Certificates settings allow you to manage the certificate lifecycle directly in Jamf Pro. To ensure secure communication with the Apple Push Notification service (APNs), Jamf Pro requires a public key infrastructure (PKI) that supports certificate-based authentication. The PKI must include the following components:

  • A certificate authority (CA)

  • A signing certificate

  • A CA certificate

For more information on PKI and its components, see Security.

When configuring the PKI Certificates settings, you can choose the following options for the CA:

  • Use a built-in CA.

  • Integrate with a trusted third-party CA (Symantec or Active Directory Certificate Services).

  • Configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP).

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server, you can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

You can choose to use a built-in CA, integrate with a trusted third-party CA (Symantec or Active Directory Certificate Services), or configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP).

The PKI Certificates settings in Jamf Pro allow you to perform the following tasks:

  • View a list of active, expiring, inactive or all certificates issued by a CA.

  • Add a PKI certificate authority to the Jamf Pro Dashboard.

  • View details of a specific certificate that was issued.

  • Export a certificate list for a CA.

Using the Built-in CA

There is no configuration necessary to use the built-in CA—the signing and CA certificates are created and stored for you. The built-in CA is used by default to issue certificates to both computers and mobile devices. When devices that need a certificate check in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using the built-in CA, you can enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

You can use the PKI Certificates settings in Jamf Pro to perform the following tasks related to the built-in CA:

  • Download the built-in CA certificate.

  • View and revoke certificates issued by the built-in CA.

  • Create certificates using a Certificate Signing Request (CSR).

  • Create a backup of the built-in CA certificate.

Downloading the Built-in CA Certificate

You can use the PKI Certificates settings in Jamf Pro to download the CA certificate issued by the built-in CA.

Note: The CA certificate issued by the built-in CA is also stored in the System keychain in Keychain Access.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Download CA Certificate.

The certificate (.pem) downloads immediately.

Viewing or Revoking Built-in CA Certificates

You can view the following information for a certificate issued by the built-in CA:

  • Subject name

  • Serial number

  • Device name associated with the certificate

  • Username associated with certificate

  • CA configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  • Date/time revoked (if applicable)

You can also revoke a certificate issued by the built-in CA.

Warning: Revoking a certificate stops communication between Jamf Pro and the computer or mobile device that the certificate was issued to. You will need to re-enroll the computer or device to restore communication.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by the built-in CA is displayed.

  6. Click the certificate subject of the certificate you want to view or revoke.
    Information about the certificate is displayed.

  7. To revoke the certificate, click Revoke.
    The status of the certificate is changed to Revoked.

  8. Click Done to return to the list of built-in certificates.

Manually Creating a Built-in CA Certificate from a CSR

Depending on your environment, you may need to manually create a certificate from a certificate signing request (CSR). For example, you may need to do this if you have a clustered environment with Tomcat configured for working behind a load balancer. You can create this certificate using the PKI Certificates settings in Jamf Pro.

Note: The certificate created from the CSR is intended solely for purposes of communication between Jamf Pro and a managed computer or mobile device.

To create a certificate from a CSR, you need a request in Base64-encoded PEM format.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create Certificate from CSR.

  7. In the CSR field, paste the CSR.
    The request must begin with
    ----BEGIN CERTIFICATE REQUEST----
    and end with
    ----END CERTIFICATE REQUEST----

  8. Click Create.
    The certificate (.pem) is downloaded immediately.

  9. Click Back to return to the Built-in CA pane.

Creating a Backup of the Built-in CA Certificate

It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA and store it in a secure location.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create CA Backup.

  7. Create and verify a password to secure the backup of the built-in CA certificate.
    You will need to enter this password to restore the certificate backup.

  8. Click Create Backup.
    The backup file (.p12) is downloaded immediately.

  9. Click Back to return to the Built-in CA pane.

Integrating with a Trusted Third-Party CA

In Jamf Pro, you can add Symantec or Active Directory Certificate Services (AD CS) as a certificate authority.

Note: Symantec certificates are managed in Jamf Pro using the Symantec Managed PKI service.

Use the PKI Certificates settings in Jamf Pro to perform the following tasks:

  • Configure Symantec or AD CS as a PKI provider.

  • View certificates.

  • Refresh Symantec certificates.

  • Export Symantec certificates.

After communication with the PKI provider is successfully established, you can do the following:

  • Symantec—Define which certificate to deploy to computers or mobile devices.
    For more information on how to issue Symantec certificates to computer and mobile devices, see the Issuing Symantec Certificates to Computers and Mobile Devices in Jamf Pro Knowledge Base article.
    Note: Inventory information for a user must be complete to properly issue a Symantec certificate to a computer or mobile device. If there is incomplete data in inventory information for a user in Jamf Pro, Symantec certificates will be issued with "N/A" recorded for the missing attributes.

  • AD CS—Distribute certificates via configuration profiles using AD CS as the CA and distribute in-house apps developed with the Jamf Certificate SDK to establish identities to support certificate-based authentication to perform Single Sign-On (SSO) or other actions specific to your environment.
    For more information, see the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.

Requirements

To integrate with Symantec as a CA, you need:

  • Symantec Managed PKI service

  • Web browser with Symantec PKI Manager

  • Administrator certificate from Symantec added to your local keychain

To integrate with AD CS as a CA, you must install the Jamf AD CS Connector. For more information, see the Jamf AD CS Connector Installation Guide.

Configure Symantec or AD CS as a PKI Provider

Adding Symantec or AD CS as a PKI Provider allows you to add certificates in Jamf Pro and issue them to computers and mobile devices.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. Click the Certificate Authorities tab, and then click Configure New Certificate Authority.

  6. Select Symantec or Active Directory Certificate Services (AD CS). Follow the onscreen instructions to configure the PKI provider.

The newly configured CA is listed on the Certificate Authorities pane.

View Certificates or Refresh Symantec Certificates

You can view the following information for a certificate:

  • Subject name

  • Serial number

  • Device name associated with certificate

  • Username associated with certificate

  • CA Configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  • (Symantec only) Configuration profiles associated with the certificate

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by Symantec is displayed.

  6. Click on the certificate subject of the certificate you want to view.
    Information about the certificate is displayed.

  7. Click Done to return to the list of certificates.

Refresh Symantec Certificates

In Jamf Pro, you can also refresh the status of a certificate issued by Symantec. Refreshing a certificate starts communication between Jamf Pro and Symantec to display the current status of the certificate.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by Symantec is displayed.

  6. Click on the certificate subject of the certificate you want to view.
    Information about the certificate is displayed.

  7. To refresh the certificate status, click Refresh Certificate Status.
    The status of the certificate is displayed as Active, Revoked or Expired.

  8. Click Done to return to the list of certificates.

Export Symantec Certificates

The Symantec certificates displayed in PKI Certificates can be exported from Jamf Pro to the following file formats:

  • Comma-separated values file (.csv)

  • Tab delimited text file (.txt)

  • XML file

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of all certificates issued by Symantec is displayed.

  6. Click Export.

  7. Select the appropriate file format to use for the export and click Next.
    The export begins immediately.

  8. Once the certificates have been exported, click Done.

Integrating with an External CA

If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices. When devices that need a certificate check in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Integrating an external CA with Jamf Pro involves the following steps:

  • Specify SCEP parameters for the external CA.

  • Upload a signing certificate and CA certificate for the external CA.

Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is recommended that you contact your Jamf account representative. Changes to the PKI could lead to re-enrolling the mobile devices in your environment.

Specifying SCEP Parameters for an External CA

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. Click Edit.

  7. Use the External CA pane to specify SCEP parameters.

  8. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • If you want all computers and mobile devices to use the same challenge password, choose “Static” and specify a challenge password.
      The challenge password will be used as the pre-shared secret for automatic enrollment.

    • If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic”.
      The Dynamic challenge type requires use of the Classic API and membership in the Jamf Developer Program. The Dynamic challenge uses the "Fingerprint" or "Thumbprint" to authenticate the user instead of a username and password. The Thumbprint hash value for the Fingerprint field in Jamf Pro can be found on the profile you receive. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.

    • If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic-Microsoft CA”.

    • If you are using an Entrust CA, choose "Dynamic-Entrust".
      Note: If you enable Jamf Pro as SCEP Proxy and you are integrating with an Entrust CA, there are additional steps you need to take to distribute certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

    Note: If you choose the “Dynamic” or “Dynamic-Microsoft CA” challenge type, you must use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices.

  9. Click Save.

Uploading Signing and CA Certificates for an External CA

To integrate an external CA with Jamf Pro, you need to provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) to Jamf Pro that contains both certificates. For information about how to obtain and download a SCEP Proxy signing certificate from a Microsoft CA, see the following Knowledge Base articles:

Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.

An assistant guides you through the process of uploading the keystore that contains the signing and CA certificates.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/18796030/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/18796030/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. At the bottom of the E xternal CA pane, click Change Signing and CA Certificates.

  7. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

Related Information

For related information, see the following section in this guide:

Push Certificates
Learn how to create a push certificate and upload it to Jamf Pro so Jamf Pro can communicate with Apple Push Notification service (APNs).

For related information, see the following Knowledge Base articles:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2018 Jamf. All rights reserved.