PKI Certificates

The PKI Certificates settings allow you to manage the certificate lifecycle directly in Jamf Pro. To ensure secure communication with the Apple Push Notification service (APNs), Jamf Pro requires a public key infrastructure (PKI) that supports certificate-based authentication. The PKI must include the following components:

  • A certificate authority (CA)

  • A signing certificate

  • A CA certificate

For more information on PKI and its components, see Security.

When configuring the PKI Certificates settings, you can choose the following options for the CA:

  • Use a built-in CA.

  • Integrate with a trusted third-party CA (DigiCert or Active Directory Certificate Services).

  • Configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP).

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server, you can enable Jamf Pro to proxy this communication between a SCEP server and the devices in your environment. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

The PKI Certificates settings in Jamf Pro allow you to perform the following tasks:

  • View a list of active, expiring, inactive, or all certificates issued by a CA.

  • Add a PKI certificate authority to the Jamf Pro Dashboard.

  • View details of a specific certificate that was issued.

  • Export a certificate list for a CA.

Using the Built-in CA

There is no configuration necessary to use the built-in CA—the signing and CA certificates are created and stored for you. The built-in CA is used by default to issue certificates to both computers and mobile devices. When devices that need a certificate check in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using the built-in CA, you can enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

You can use the PKI Certificates settings in Jamf Pro to perform the following tasks related to the built-in CA:

  • Download the built-in CA certificate.

  • View and revoke certificates issued by the built-in CA.

  • Create certificates using a Certificate Signing Request (CSR).

  • Create a backup of the built-in CA certificate.

Downloading the Built-in CA Certificate

You can use the PKI Certificates settings in Jamf Pro to download the CA certificate issued by the built-in CA.

Note: The CA certificate issued by the built-in CA is also stored in the System keychain in Keychain Access.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Download CA Certificate.

The certificate (.pem) downloads immediately.

Viewing or Revoking Built-in CA Certificates

You can view the following information for a certificate issued by the built-in CA:

  • Subject name

  • Serial number

  • Device name associated with the certificate

  • Username associated with certificate

  • CA configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  • Date/time revoked (if applicable)

You can also revoke a certificate issued by the built-in CA.

Warning: Revoking a certificate stops communication between Jamf Pro and the computer or mobile device that the certificate was issued to. You will need to re-enroll the computer or device to restore communication.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by the built-in CA is displayed.

  6. Click the certificate subject of the certificate you want to view or revoke.
    Information about the certificate is displayed.

  7. To revoke the certificate, click Revoke.
    The status of the certificate is changed to Revoked.

  8. Click Done to return to the list of built-in certificates.

Manually Creating a Built-in CA Certificate from a CSR

Depending on your environment, you may need to manually create a certificate from a certificate signing request (CSR). For example, you may need to do this if you have a clustered environment with Tomcat configured for working behind a load balancer. You can create this certificate using the PKI Certificates settings in Jamf Pro.

Note: The certificate created from the CSR is intended solely for purposes of communication between Jamf Pro and a managed computer or mobile device.

To create a certificate from a CSR, you need a request in Base64-encoded PEM format.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create Certificate from CSR.

  7. In the CSR field, paste the CSR.
    The request must begin with
    ----BEGIN CERTIFICATE REQUEST----
    and end with
    ----END CERTIFICATE REQUEST----

  8. Click Create.
    The certificate (.pem) is downloaded immediately.

  9. Click Back to return to the Built-in CA pane.

Creating a Backup of the Built-in CA Certificate

It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA and store it in a secure location.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create CA Backup.

  7. Create and verify a password to secure the backup of the built-in CA certificate.
    You will need to enter this password to restore the certificate backup.

  8. Click Create Backup.
    The backup file (.p12) is downloaded immediately.

  9. Click Back to return to the Built-in CA pane.

Integrating with a Trusted Third-Party CA

In Jamf Pro, you can add DigiCert or Active Directory Certificate Services (AD CS) as a certificate authority.

DigiCert

DigiCert certificates are managed in Jamf Pro using the DigiCert PKI Platform service.

Use the PKI Certificates settings in Jamf Pro to perform the following tasks:

  • Configure DigiCert as a PKI provider.

  • Enable automatic certificate revocation.

  • View certificates.

  • Refresh DigiCert certificates.

  • Export DigiCert certificates.

After communication with the PKI provider is successfully established, you can define which certificate to deploy to computers or mobile devices. For more information on how to issue DigiCert certificates to computer and mobile devices, see the Issuing DigiCert Certificates to Computers and Mobile Devices in Jamf Pro Knowledge Base article.

Note: Inventory information for a user must be complete to properly issue a DigiCert certificate to a computer or mobile device. If there is incomplete data in inventory information for a user in Jamf Pro, DigiCert certificates will be issued with "N/A" recorded for the missing attributes.

Requirements

To integrate with DigiCert as a CA, you need:

  • DigiCert Managed PKI service

  • Web browser with DigiCert PKI Manager

  • Administrator certificate from DigiCert added to your local keychain

Automatic Certificate Revocation

You can enable automatic certificate revocation when configuring DigiCert as a PKI provider in Jamf Pro. You can also enable automatic certificate revocation on an existing DigiCert PKI integration.

When automatic certificate revocation is enabled, DigiCert certificates will be automatically revoked from computers or mobile devices using configuration profiles in Jamf Pro. The scope in a configuration profile triggers when certificates are revoked from computers and mobile devices.

For example, you can create a custom extension attribute with an "active" or "inactive" status to collect user status information, perhaps for their employment status. You then add the custom extension attribute to a smart group's criteria, and add smart group to the scope of a configuration profile. If a user's status changes to "inactive", the user then falls out of scope, and DigiCert certificates are automatically revoked from computers and mobile devices assigned to that user.

For more information about extension attributes, see the following sections in this guide:

When a scope change occurs, the request to revoke certificates is sent to the DigiCert PKI Platform according to the following rules:

  • If there are less than 100 revocations, the revocation requests are sent 30 seconds after the first configuration profile is set to be removed.

  • If there are 100 or more revocations, the first 100 revocation requests are sent immediately. Subsequent revocation requests are then instantly sent in groups of 100 or are deferred for 30 seconds if less than 100 remain.

Configuring DigiCert as a PKI Provider

Adding DigiCert as a PKI Provider allows you to add certificates in Jamf Pro and issue them to computers and mobile devices.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Certificate Authorities tab, and then click Configure New Certificate Authority.

  6. Select DigiCert.

  7. Follow the onscreen instructions to configure the PKI provider.

The newly configured CA is listed on the Certificate Authorities pane.

Enabling Automatic Certificate Revocation for an Existing DigiCert PKI Integration

In Jamf Pro, you can enable or disable automatic certificate revocation for existing DigiCert PKI integrations.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click View in the Manage CA column.

  6. Click Edit.

  7. To enable automatic certificate revocation, select Enable automatic certificate revocation (default). To disable automatic certificate revocation, select Disable automatic certificate revocation.

  8. Click Save.

Viewing DigiCert Certificates

You can view the following information for a certificate:

  • Subject name

  • Serial number

  • Device name associated with certificate

  • Username associated with certificate

  • CA Configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  • State

  • Configuration profiles associated with the certificate

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by DigiCert is displayed.

  6. Click on the certificate subject of the certificate you want to view.
    Information about the certificate is displayed.

  7. Click Done to return to the list of certificates.

Note: You can also view a record of revoked certificates in the jamfsoftwareserver.log file. For more information, see Jamf Pro Server Logs in this guide.

Refreshing DigiCert Certificates

In Jamf Pro, you can also refresh the status of a certificate issued by DigiCert. Refreshing a certificate starts communication between Jamf Pro and DigiCert to display the current status of the certificate.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of certificates issued by DigiCert is displayed.

  6. Click on the certificate subject of the certificate you want to view.
    Information about the certificate is displayed.

  7. To refresh the certificate status, click Refresh Certificate Status.
    The status of the certificate is displayed as Active, Revoked or Expired.

  8. Click Done to return to the list of certificates.

Exporting DigiCert Certificates

The DigiCert certificates displayed in PKI Certificates can be exported from Jamf Pro to the following file formats:

  • Comma-separated values file (.csv)

  • Tab delimited text file (.txt)

  • XML file

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.
    A list of all certificates issued by DigiCert is displayed.

  6. Click Export.

  7. Select the appropriate file format to use for the export and click Next.
    The export begins immediately.

  8. Once the certificates have been exported, click Done.

AD CS

Use the PKI Certificates settings in Jamf Pro to perform the following tasks:

  • Configure AD CS as a PKI provider.

  • View certificates.

After communication with the PKI provider is successfully established, you can distribute certificates via configuration profiles using AD CS as the CA and distribute in-house apps developed with the Jamf Certificate SDK to establish identities to support certificate-based authentication to perform Single Sign-On (SSO) or other actions specific to your environment.

For more information, see the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.

Requirements

To integrate with AD CS as a CA, you must install the Jamf AD CS Connector. For more information, see the Jamf AD CS Connector Installation Guide.

Configuring AD CS as a PKI Provider

Adding AD CS as a PKI Provider allows you to add certificates in Jamf Pro and issue them to computers and mobile devices.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Certificate Authorities tab, and then click Configure New Certificate Authority.

  6. Select Active Directory Certificate Services (AD CS).

  7. Follow the onscreen instructions to configure the PKI provider.

The newly configured CA is listed on the Certificate Authorities pane.

Viewing AD CS Certificates

You can view the following information for a certificate:

  • Subject name

  • Serial number

  • Device name associated with certificate

  • Username associated with certificate

  • CA Configuration name

  • Date/time issued

  • Expiration date/time

  • Status

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. To view a list of Expiring, Active, Inactive or All certificates, click the number displayed in the corresponding column on the Certificate Authorities pane.

  6. Click on the certificate subject of the certificate you want to view.
    Information about the certificate is displayed.

  7. Click Done to return to the list of certificates.

Integrating with an External CA

If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices. When devices that need a certificate check in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Integrating an external CA with Jamf Pro involves the following steps:

  • Specify SCEP parameters for the external CA.

  • Upload a signing certificate and CA certificate for the external CA.

Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is recommended that you contact your Jamf account representative. Changes to the PKI could lead to re-enrolling the mobile devices in your environment.

Specifying SCEP Parameters for an External CA

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. Click Edit.

  7. Use the External CA pane to specify SCEP parameters.

  8. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • If you want all computers and mobile devices to use the same challenge password, choose “Static” and specify a challenge password.
      The challenge password will be used as the pre-shared secret for automatic enrollment.

    • If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic”.
      The Dynamic challenge type requires use of the Classic API and membership in the Jamf Developer Program. The Dynamic challenge uses the "Fingerprint" or "Thumbprint" to authenticate the user instead of a username and password. The Thumbprint hash value for the Fingerprint field in Jamf Pro can be found on the profile you receive. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.

    • If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic-Microsoft CA”.

    • If you are using an Entrust CA, choose "Dynamic-Entrust".

      Note: If you enable Jamf Pro as SCEP Proxy and you are integrating with an Entrust CA, there are additional steps you need to take to distribute certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

    Note: If you choose the “Dynamic” or “Dynamic-Microsoft CA” challenge type, you must use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices.

  9. Click Save.

Uploading Signing and CA Certificates for an External CA

To integrate an external CA with Jamf Pro, you need to provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) to Jamf Pro that contains both certificates. For information about how to obtain and download a SCEP Proxy signing certificate from a Microsoft CA, see the following Knowledge Base articles:

Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.

An assistant guides you through the process of uploading the keystore that contains the signing and CA certificates.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79175106/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/79175106/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. At the bottom of the External CA pane, click Change Signing and CA Certificates.

  7. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

Related Information

For related information, see the following section in this guide:

Push Certificates
Learn how to create a push certificate and upload it to Jamf Pro so Jamf Pro can communicate with Apple Push Notification service (APNs).

For related information, see the following Knowledge Base articles:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.