PKI Certificates

The PKI Certificates settings allow you to manage the public key infrastructure needed to establish communication between computers and mobile devices and certificate authorities (CA). Jamf Pro requires a PKI that supports certificate-based authentication.

The PKI must include the following components:

  • A certificate authority (CA). You can use the built-in CA, a trusted third-party CA, or an external CA that supports SCEP.

  • A certificate authority (CA) certificate

  • A signing certificate

For more information on PKI and its components, see Security.

In addition, you can use the PKI Certfiicates settings to configure a JSON Web Token to secure downloads of iOS and tvOS in-house apps and books. For more information, see the Configuring a JSON Web Token to Secure Downloads of iOS and tvOS In-House Apps and Books Knowledge Base article.

Viewing and Exporting Certificates

You can view the following information for a certificate:

  • Subject name

  • Serial number

  • Device name associated with the certificate

  • Username associated with certificate

  • CA configuration name

  • Date/time issued

  • Expiration date/time

  • Status (Active or Inactive)

  • State (Issued, Expiring, Expired, or Revoked)

  • Configuration profiles associated with a third-party certificate

When you are viewing a list of certificates, you can export the list to a .csv, .txt, or XML file.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .
    A list of CAs will be displayed with the number of expiring, active, inactive, or all certificates for each CA.

  5. Click a number in the Expiring, Active, Inactive, or All column.
    A list of corresponding certificates will be displayed.

  6. Click a certificate subject to view more details about a specific certificate.
    If applicable, the certificate details will include the revoked date. For third-party CA certificates, any c onfiguration profiles associated with the certificate are also displayed.

  7. (Optional) If you want to export the list of certificates displayed in step 5:

    1. Click Export.

    2. Select a file format for the exported file.

    3. Click Next.

    4. The export begins immediately.

    5. Click Done.

The Built-in CA

No configuration is necessary to use Jamf Pro's built-in CA. The built-in CA is used by default to issue certificates to computers and mobile devices. The CA certificate and signing certificate are created and stored for you automatically. When a device checks in with Jamf Pro, it communicates with the SCEP server to obtain the CA certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using the built-in CA, you can enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Downloading the Built-in CA Certificate

The downloaded built-in CA certificate (.pem) can be used to establish trust with other servers or services. For example, you can establish trust for IIS on Windows servers for HTTPS distribution points. For more information, see the Using IIS to Enable HTTPS Downloads on a Windows Server 2016 or 2019 File Share Distribution Point Knowledge Base article.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Download CA Certificate. The certificate file (.pem) will download.

The certificate issued by the built-in CA is also stored in the System keychain in Keychain Access on Mac computers as "JAMF Software JSS Built-in Certificate Authority".

Revoking a Certificate from the Built-in CA

Warning: Revoking a certificate stops communication between Jamf Pro and the computer or mobile device that the certificate was issued to. To restore the communication, re-enroll the computer or mobile device.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .
    A list of CAs will be displayed with the number of expiring, active, inactive, or all certificates for each CA.

  5. Click a number in the Expiring, Active, Inactive, or All column.
    A list of corresponding certificates will be displayed.

  6. Click a certificate subject to view more details about a specific certificate.

  7. To revoke the certificate, click Revoke images/download/thumbnails/81534282/ban.png .

  8. Click Revoke again to confirm.
    The status of the certificate is changed to "Inactive", and the state is changed to "Revoked".

Note: You can also view a record of revoked certificates in the jamfsoftwareserver.log file. For more information, see Jamf Pro Server Logs in this guide.

Creating a Built-in CA Certificate from a CSR

Depending on your environment, you may need to create a certificate from a certificate signing request (CSR). For example, you may need to do this if you have a clustered environment with Tomcat configured to work behind a load balancer.

Note: The certificate created from the CSR is intended solely for purposes of communication between Jamf Pro and a managed computer or mobile device.

To create a certificate from a CSR, you need a request in Base64-encoded PEM format.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create Certificate from CSR.

  7. In the CSR field, paste the CSR.
    The request must begin with
    ----BEGIN CERTIFICATE REQUEST----
    and end with
    ----END CERTIFICATE REQUEST----

  8. Select a certificate type.

  9. Click Create.
    The certificate file (.pem) will download immediately.

Creating a Backup of the Built-in CA Certificate

It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA and store it in a secure location.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .

  5. Click the Management Certificate Template tab, and then click Built-in CA.

  6. Click Create CA Backup.

  7. Create and verify a password to secure the backup of the built-in CA certificate.
    You will need to enter this password to restore the certificate backup.

  8. Click Create Backup.
    The backup file (.p12) will download immediately.

Renewing the Built-in CA

When the CA expires, some critical Jamf Pro flows do not work. For example, enrolling computers or mobile devices when the CA is expired prevents them from being managed. It is recommended to renew the built-in CA before the expiration date.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .

  5. Click a number in the All column.
    A list of corresponding certificates will be displayed.

  6. Click the certificate with "Certificate Authority" in the subject to view the certificate details.

  7. Click Renew images/download/thumbnails/81534028/arrow-around-right.png and confirm the renewal.

  8. (Optional) Verify the new expiration date.

  9. Refresh the page. The renewal status is displayed in Jamf Pro Notifications. Additionally, an email with the renewal process status is sent if email notifications are configured for your account.

When the built-in CA is renewed, its expiration date is extended by 10 years. All signing certificates issued by the built-in CA are automatically renewed.

Note: After the built-in certificate authority (CA) renewal succeeds, t he MDM profile for computers and mobile devices is automatically queued for renewal. The next time computers and mobile devices check in to Jamf Pro, the MDM profile will be renewed, and the MDM Profile Expiration Date field value in the inventory will show the new expiration date. The device identity certificates will expire in two years. To monitor which MDM profiles are not renewed, you can create a smart computer or mobile device group and set the MDM Profile Renewal Needed search criteria value to "Yes".

Consider the following:

  • Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a CSR that was signed by the CA. These certificates may need to be re-issued.
    The affected integrations may include:

    • HTTPS file share distribution point configuration

    • Signing custom configuration profiles

    • SCCM (System Center Configuration Manager) plug-in

  • When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing EDU profiles to be redistributed. This may increase network traffic.

Important: If the built-in CA renewal fails, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA, e.g., Jamf Pro cannot communicate with managed computers or mobile devices, contact Jamf Support.

Third-Party CAs

You can integrate Jamf Pro with trusted third-party CAs, including DigiCert, Venafi, or Active Directory Certificate Services (AD CS). These integrations allow an organization to have a CA that controls all of the identity certificates across all devices. Using a third-party CA will allow for unified reporting on all certificates for IT teams.

  • DigiCert—DigiCert certificates are managed in Jamf Pro using the DigiCert PKI Platform service. After communication between Jamf Pro and the DigiCert PKI Platform is established, you can deploy certificates to computers or mobile devices. For more information, see the Integrating with DigiCert Using Jamf Pro technical paper.

  • Venafi—Venafi certificates are managed in Jamf Pro using Venafi Trust Protection Platform. After communication between Jamf Pro and Venafi Trust Protection Platform is established, you can deploy certificates to computers or mobile devices. For more information, see the Integrating with Venafi Using Jamf Pro technical paper.

  • AD CS—After communication with the PKI provider is successfully established, you can deploy certificates via configuration profiles using AD CS as the CA. You can also distribute in-house apps developed with the Jamf Certificate SDK to establish identities to support certificate-based authentication to perform Single Sign-On (SSO) or other actions specific to your environment. For more information, see the Integrating with Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.

External CAs

If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices. When a device checks in with Jamf Pro, the device communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Integrating an external CA with Jamf Pro involves the following steps:

  • Specifying SCEP parameters for the external CA

  • Uploading a signing certificate and CA certificate for the external CA

Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is recommended that you contact your Jamf account representative. Changes to the PKI settings may require re-enrollment of mobile devices in your environment to restore trusted communication between the Jamf Pro server and mobile devices required for Mobile Device Management (MDM). Preparing for a change to PKI settings for computer management or restoring trusted communication between the Jamf Pro server and managed computers after a change is made to PKI settings in Jamf Pro may be possible using policy features available in Jamf Pro. Policies can be used to update trusted certificate settings on managed computers required for MDM.

Specifying SCEP Parameters for an External CA

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. Click Edit.

  7. Use the External CA pane to specify SCEP parameters.

  8. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • Static—If you want all computers and mobile devices to use the same challenge password, choose “Static” and specify a challenge password. The challenge password will be used as the pre-shared secret for automatic enrollment.

    • Dynamic—If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic”. The Dynamic challenge type requires use of the Classic API and membership in the Jamf Developer Program. The Dynamic challenge uses the "Fingerprint" or "Thumbprint" to authenticate the user instead of a username and password. The Thumbprint hash value for the Fingerprint field in Jamf Pro can be found on the profile you receive. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.

      Note: The "Dynamic” challenge type requires you to use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices.

    • Dynamic-Microsoft CA—If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic-Microsoft CA”.

      Note: The “Dynamic-Microsoft CA” challenge type requires you to use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices.

    • Dynamic-Entrust—If you are using an Entrust CA, choose "Dynamic-Entrust".

      Note: If you enable Jamf Pro as SCEP Proxy and you are integrating with an Entrust CA, additional steps are needed to distribute certificates via configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

  9. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Uploading Signing and CA Certificates for an External CA

To integrate an external CA with Jamf Pro, you must provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) that contains both certificates to Jamf Pro. For information about how to obtain and download a SCEP Proxy signing certificate from a Microsoft CA, see the following Knowledge Base articles:

Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/81545437/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click PKI Certificates images/download/thumbnails/81545437/PKI.png .

  5. Click the Management Certificate Template tab, and then click External CA.

  6. At the bottom of the External CA pane, click Change Signing and CA Certificates.

  7. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

Related Information

For related information, see the following Knowledge Base articles:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.