Public Key Infrastructure

To ensure secure communication with the Apple Push Notification service (APNs), the JAMF Software Server (JSS) requires a public key infrastructure (PKI) that supports certificate-based authentication. The PKI must include the following components:

  • A certificate authority (CA) that supports Simple Certificate Enrollment Protocol (SCEP)

  • A signing certificate

  • A CA certificate

For more information on the PKI and its components, see Security.

The JSS includes a preconfigured PKI that uses a built-in CA with support for SCEP. There is no configuration necessary to use the built-in CA—the signing and CA certificates are created and stored for you. The built-in CA is used by default to issue certificates to both computers and mobile devices.

You can use the PKI settings in the JSS to perform the following tasks related to the built-in CA:

  • Download the CA certificate.

  • View and revoke certificates issued by the built-in CA.

  • Create a certificate using a Certificate Signing Request (CSR).

  • Create a backup of the CA certificate.

You can also configure your own PKI if you have access to an external CA that supports SCEP. The external CA can be a CA hosted by your organization or by a trusted third-party vendor. If you integrate an external CA with the JSS, this CA will be used to issue certificates to computers and mobile devices.

Downloading the CA Certificate

You can use the PKI settings in the JSS to download the CA certificate issued by the built-in CA.

Note: The CA certificate issued by the built-in CA is also stored in the System keychain in Keychain Access.

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/13830150/Settings_icon.png .

  3. Click Global Management.

  4. Click PKI images/download/thumbnails/13830150/PKI.png .

  5. On the Built-in CA pane, click Download CA Certificate.

The certificate (.pem) downloads immediately.

Viewing or Revoking Certificates

You can view the following information for a certificate issued by the built-in CA:

  • Serial number

  • Subject name

  • Date/time issued

  • Expiration date/time

  • Status

  • Date/time revoked (if applicable)

You can also revoke a certificate issued by the built-in CA.

Warning: Revoking a certificate stops communication between the JSS and the computer or mobile device that the certificate was issued to. You will need to re-enroll the computer or device to restore communication.

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/13830150/Settings_icon.png .

  3. Click Global Management.

  4. Click PKI images/download/thumbnails/13830150/PKI.png .

  5. On the Built-in CA pane, click Issued Certificates.
    A list of certificates issued by the built-in CA is displayed.

  6. Click the serial number of the certificate you want to view or revoke.
    Information about the certificate is displayed.

  7. To revoke the certificate, click Revoke.
    The status of the certificate is changed to Revoked.

  8. Click Done twice to return to the Built-in CA pane.

Manually Creating a Certificate from a CSR

Depending on your environment, you may need to manually create a certificate from a certificate signing request (CSR). For example, you may need to do this if you have a clustered environment with Tomcat configured for working behind a load balancer. You can create this certificate using the PKI settings in the JSS.

Note: The certificate created from the CSR is intended solely for purposes of communication between the JSS and a managed computer or mobile device.

To create a certificate from a CSR, you need a request in Base64-encoded PEM format.

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/13830150/Settings_icon.png .

  3. Click Global Management.

  4. Click PKI images/download/thumbnails/13830150/PKI.png .

  5. On the Built-in CA pane, click Create Certificate from CSR.

  6. In the CSR field, paste the CSR.
    The request must begin with
    ----BEGIN CERTIFICATE REQUEST----
    and end with
    ----END CERTIFICATE REQUEST----

  7. Click Create.
    The certificate (.pem) is downloaded immediately.

  8. Click Back to return to the Built-in CA pane.

Creating a Backup of the CA Certificate

It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA and store it in a secure location.

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/13830150/Settings_icon.png .

  3. Click Global Management.

  4. Click PKI images/download/thumbnails/13830150/PKI.png .

  5. On the Built-in CA pane, click Create CA Backup.

  6. Create and verify a password to secure the backup CA certificate.
    You will need to enter this password to restore the certificate backup.

  7. Click Create Backup.
    The backup file (.p12) is downloaded immediately.

  8. Click Back to return to the Built-in CA pane.

Integrating with an External CA

If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management certificates to computers and mobile devices.

Integrating an external CA with the JSS involves the following steps:

  • Specify SCEP parameters for the external CA.

  • Upload a signing certificate and CA certificate for the external CA.

Note: If you need to make changes to your organizational or third-party CA in the JSS, it is recommended that you contact JAMF Software Support. Changes to the PKI could lead to re-enrolling the mobile devices in your environment.

Specifying SCEP Parameters for an External CA

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/13830150/Settings_icon.png .

  3. Click Global Management.

  4. Click PKI images/download/thumbnails/13830150/PKI.png .

  5. Click the External CA tab.

  6. Click Edit.

  7. Select the Use External Certificate Authority checkbox.

  8. Use the External CA pane to specify SCEP parameters.

  9. Choose the type of challenge password to use from the Challenge Type pop-up menu:

    • If you want all computers and mobile devices to use the same challenge password, choose “Static” and specify a challenge password.
      The challenge password will be used as the pre-shared secret for automatic enrollment.

    • If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic”.
      The Dynamic challenge type requires use of the JSS API and membership in the JAMF Software Developer Program. Before selecting this option, contact your Technical Account Manager to learn more about the JAMF Software Developer Program and the additional steps you need to take to use this option.

    • If you are using a Microsoft CA and you want each computer and mobile device to use a unique challenge password, choose “Dynamic-Microsoft CA”.

    Note: If you choose the “Dynamic” or “Dynamic-Microsoft CA” challenge type, you must use user-initiated enrollment to enroll computers and mobile devices so that a unique challenge password is used for each device. For more information, see User-Initiated Enrollment for Computers and User-Initiated Enrollment for Mobile Devices.

  10. Click Save.

Uploading Signing and CA Certificates for an External CA

To integrate an external CA with the JSS, you need to provide the signing and CA certificates for the external CA. This is done by uploading a signing certificate keystore (.jks or .p12) to the JSS that contains both certificates.

Note: By default, the JSS uses the signing and CA certificates for the JSS’s built-in CA. You must replace these certificates with the ones for the external CA when you initially set up the integration.

An assistant guides you through the process of uploading the keystore that contains the signing and CA certificates.

  1. Log in to the JSS with a web browser.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/13830150/Settings_icon.png .

  3. Click Global Management.

  4. Click PKI images/download/thumbnails/13830150/PKI.png .

  5. Click the External CA tab.

  6. At the bottom of the External CA pane, click Change Signing and CA Certificates.

  7. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

Related Information

For related information, see the following section in this guide:

Push Certificates
Learn how to create a push certificate and upload it to the JSS so the JSS can communicate with Apple Push Notification service (APNs).

For related information, see the following Knowledge Base articles:

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2016 Jamf. All rights reserved.